security(maven): 🛡️ minor 🛡️ vulnerability [unknown]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
net.sourceforge.pmd:pmd-core (source)	7.10.0 → 7.22.0
org.springframework:spring-web	6.0.23 → 6.1.0
com.fasterxml.jackson.core:jackson-core	2.15.0 → 2.18.6

GitHub Vulnerability Alerts

CVE-2026-28338

Summary

PMD's vbhtml and yahtml report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser.

While the default html format is not affected via rule violation messages (it correctly uses StringEscapeUtils.escapeHtml4()), it has a similar problem when rendering suppressed violations. The user supplied message (the reason for the suppression) was not escaped.

Details

VBHTMLRenderer.java line 71 appends rv.getDescription() directly into HTML:

sb.append("<td><font class=body>").append(rv.getDescription()).append("</font></td>");

YAHTMLRenderer.java lines 196–203 does the same via renderViolationRow():

private String renderViolationRow(String name, String value) {
    return "<tr><td><b>" + name + "</b></td>" + "<td>" + value + "</td></tr>";
}

Called at line 172:

out.print(renderViolationRow("Description:", violation.getDescription()));

The violation message originates from AvoidDuplicateLiteralsRule.java line 91, which embeds raw string literal values via first.toPrintableString(). This calls StringUtil.escapeJava() (line 476–480), which is a Java source escaper — it passes <, >, and & through unchanged because they are printable ASCII (0x20–0x7e).

By contrast, HTMLRenderer.java line 143 properly escapes:

String d = StringEscapeUtils.escapeHtml4(rv.getDescription());

PoC

1. Create a Java file with 4+ duplicate string literals containing an HTML payload:

public class Exploit {
    String a = "<img src=x onerror=alert(document.domain)>";
    String b = "<img src=x onerror=alert(document.domain)>";
    String c = "<img src=x onerror=alert(document.domain)>";
    String d = "<img src=x onerror=alert(document.domain)>";
}

2. Run PMD with the vbhtml format:

pmd check -R category/java/errorprone.xml -f vbhtml -d Exploit.java -r report.html

3. Open report.html in a browser. A JavaScript alert executes showing document.domain.

The generated HTML contains the unescaped tag:

<td><font class=body>The String literal "<img src=x onerror=alert(document.domain)>" appears 4 times in this file</font></td>

Tested and confirmed on PMD 7.22.0-SNAPSHOT (commit bcc646c53d).

Impact

Stored cross-site scripting (XSS). Affects CI/CD pipelines that run PMD with --format vbhtml or --format yahtml on untrusted source code (e.g., pull requests from external contributors) and expose the HTML report as a build artifact. JavaScript executes in the browser context of anyone who opens the report.

Practical impact is limited because vbhtml and yahtml are legacy formats rarely used in practice. The default html format has a similar issue with user messages from suppressed violations.

Fixes

• See #​6475: [core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer

---

PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages

CVE-2026-28338 / GHSA-8rr6-2qw5-pc7r

More information

Details

Summary

PMD's vbhtml and yahtml report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser.

While the default html format is not affected via rule violation messages (it correctly uses StringEscapeUtils.escapeHtml4()), it has a similar problem when rendering suppressed violations. The user supplied message (the reason for the suppression) was not escaped.

Details

VBHTMLRenderer.java line 71 appends rv.getDescription() directly into HTML:

sb.append("<td><font class=body>").append(rv.getDescription()).append("</font></td>");

YAHTMLRenderer.java lines 196–203 does the same via renderViolationRow():

private String renderViolationRow(String name, String value) {
    return "<tr><td><b>" + name + "</b></td>" + "<td>" + value + "</td></tr>";
}

Called at line 172:

out.print(renderViolationRow("Description:", violation.getDescription()));

The violation message originates from AvoidDuplicateLiteralsRule.java line 91, which embeds raw string literal values via first.toPrintableString(). This calls StringUtil.escapeJava() (line 476–480), which is a Java source escaper — it passes <, >, and & through unchanged because they are printable ASCII (0x20–0x7e).

By contrast, HTMLRenderer.java line 143 properly escapes:

String d = StringEscapeUtils.escapeHtml4(rv.getDescription());

PoC

1. Create a Java file with 4+ duplicate string literals containing an HTML payload:

public class Exploit {
    String a = "<img src=x onerror=alert(document.domain)>";
    String b = "<img src=x onerror=alert(document.domain)>";
    String c = "<img src=x onerror=alert(document.domain)>";
    String d = "<img src=x onerror=alert(document.domain)>";
}

2. Run PMD with the vbhtml format:

pmd check -R category/java/errorprone.xml -f vbhtml -d Exploit.java -r report.html

3. Open report.html in a browser. A JavaScript alert executes showing document.domain.

The generated HTML contains the unescaped tag:

<td><font class=body>The String literal "<img src=x onerror=alert(document.domain)>" appears 4 times in this file</font></td>

Tested and confirmed on PMD 7.22.0-SNAPSHOT (commit bcc646c53d).

Impact

Stored cross-site scripting (XSS). Affects CI/CD pipelines that run PMD with --format vbhtml or --format yahtml on untrusted source code (e.g., pull requests from external contributors) and expose the HTML report as a build artifact. JavaScript executes in the browser context of anyone who opens the report.

Practical impact is limited because vbhtml and yahtml are legacy formats rarely used in practice. The default html format has a similar issue with user messages from suppressed violations.

Fixes

• See #​6475: [core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer

Severity

• CVSS Score: Unknown
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

References

• https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r
• https://nvd.nist.gov/vuln/detail/CVE-2026-28338
• https://github.com/pmd/pmd/pull/6475
• https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442
• https://github.com/pmd/pmd

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Spring Framework vulnerable to a reflected file download (RFD)

CVE-2025-41234 / GHSA-6r3c-xf4w-jxjm

More information

Details

Description

In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.

Specifically, an application is vulnerable when all the following are true:

• The header is prepared with org.springframework.http.ContentDisposition.
• The filename is set via ContentDisposition.Builder#filename(String, Charset).
• The value for the filename is derived from user-supplied input.
• The application does not sanitize the user-supplied input.
• The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).

An application is not vulnerable if any of the following is true:

• The application does not set a “Content-Disposition” response header.
• The header is not prepared with org.springframework.http.ContentDisposition.
• The filename is set via one of:
  • ContentDisposition.Builder#filename(String), or
  • ContentDisposition.Builder#filename(String, ASCII)
• The filename is not derived from user-supplied input.
• The filename is derived from user-supplied input but sanitized by the application.
• The attacker cannot inject malicious content in the downloaded content of the response.

Affected Spring Products and VersionsSpring Framework

• 6.2.0 - 6.2.7
• 6.1.0 - 6.1.20
• 6.0.5 - 6.0.28
• Older, unsupported versions are not affected

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s)	Fix version	Availability
6.2.x	6.2.8	OSS
6.1.x	6.1.21	OSS
6.0.x	6.0.29	Commercial

No further mitigation steps are necessary.

Severity

• CVSS Score: Unknown
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-41234
• https://github.com/spring-projects/spring-framework/issues/35034
• https://github.com/spring-projects/spring-framework/commit/f0e7b42704e6b33958f242d91bd690d6ef7ada9c
• https://github.com/spring-projects/spring-framework
• https://spring.io/security/cve-2025-41234

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Spring Framework DataBinder Case Sensitive Match Exception

CVE-2024-38820 / GHSA-4gc7-5j7h-4qph

More information

Details

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

Severity

• CVSS Score: Unknown
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-38820
• https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c
• https://github.com/spring-projects/spring-framework
• https://github.com/spring-projects/spring-framework/commits/v6.2.0-RC2
• https://security.netapp.com/advisory/ntap-20241129-0003
• https://spring.io/security/cve-2024-38820

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

GHSA-72hv-8253-57qq

Summary

The non-blocking (async) JSON parser in jackson-core bypasses the maxNumberLength constraint (default: 1000 characters) defined in StreamReadConstraints. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS).

The standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy.

Details

The root cause is that the async parsing path in NonBlockingUtf8JsonParserBase (and related classes) does not call the methods responsible for number length validation.

• The number parsing methods (e.g., _finishNumberIntegralPart) accumulate digits into the TextBuffer without any length checks.
• After parsing, they call _valueComplete(), which finalizes the token but does not call resetInt() or resetFloat().
• The resetInt()/resetFloat() methods in ParserBase are where the validateIntegerLength() and validateFPLength() checks are performed.
• Because this validation step is skipped, the maxNumberLength constraint is never enforced in the async code path.

PoC

The following JUnit 5 test demonstrates the vulnerability. It shows that the async parser accepts a 5,000-digit number, whereas the limit should be 1,000.

package tools.jackson.core.unittest.dos;

import java.nio.charset.StandardCharsets;

import org.junit.jupiter.api.Test;

import tools.jackson.core.*;
import tools.jackson.core.exc.StreamConstraintsException;
import tools.jackson.core.json.JsonFactory;
import tools.jackson.core.json.async.NonBlockingByteArrayJsonParser;

import static org.junit.jupiter.api.Assertions.*;

/**
 * POC: Number Length Constraint Bypass in Non-Blocking (Async) JSON Parsers
 *
 * Authors: sprabhav7, rohan-repos
 * 
 * maxNumberLength default = 1000 characters (digits).
 * A number with more than 1000 digits should be rejected by any parser.
 *
 * BUG: The async parser never calls resetInt()/resetFloat() which is where
 * validateIntegerLength()/validateFPLength() lives. Instead it calls
 * _valueComplete() which skips all number length validation.
 *
 * CWE-770: Allocation of Resources Without Limits or Throttling
 */
class AsyncParserNumberLengthBypassTest {

    private static final int MAX_NUMBER_LENGTH = 1000;
    private static final int TEST_NUMBER_LENGTH = 5000;

    private final JsonFactory factory = new JsonFactory();

    // CONTROL: Sync parser correctly rejects a number exceeding maxNumberLength
    @​Test
    void syncParserRejectsLongNumber() throws Exception {
        byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);
		
		// Output to console
        System.out.println("[SYNC] Parsing " + TEST_NUMBER_LENGTH + "-digit number (limit: " + MAX_NUMBER_LENGTH + ")");
        try {
            try (JsonParser p = factory.createParser(ObjectReadContext.empty(), payload)) {
                while (p.nextToken() != null) {
                    if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) {
                        System.out.println("[SYNC] Accepted number with " + p.getText().length() + " digits — UNEXPECTED");
                    }
                }
            }
            fail("Sync parser must reject a " + TEST_NUMBER_LENGTH + "-digit number");
        } catch (StreamConstraintsException e) {
            System.out.println("[SYNC] Rejected with StreamConstraintsException: " + e.getMessage());
        }
    }

    // VULNERABILITY: Async parser accepts the SAME number that sync rejects
    @​Test
    void asyncParserAcceptsLongNumber() throws Exception {
        byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);

        NonBlockingByteArrayJsonParser p =
            (NonBlockingByteArrayJsonParser) factory.createNonBlockingByteArrayParser(ObjectReadContext.empty());
        p.feedInput(payload, 0, payload.length);
        p.endOfInput();

        boolean foundNumber = false;
        try {
            while (p.nextToken() != null) {
                if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) {
                    foundNumber = true;
                    String numberText = p.getText();
                    assertEquals(TEST_NUMBER_LENGTH, numberText.length(),
                        "Async parser silently accepted all " + TEST_NUMBER_LENGTH + " digits");
                }
            }
            // Output to console
            System.out.println("[ASYNC INT] Accepted number with " + TEST_NUMBER_LENGTH + " digits — BUG CONFIRMED");
            assertTrue(foundNumber, "Parser should have produced a VALUE_NUMBER_INT token");
        } catch (StreamConstraintsException e) {
            fail("Bug is fixed — async parser now correctly rejects long numbers: " + e.getMessage());
        }
        p.close();
    }

    private byte[] buildPayloadWithLongInteger(int numDigits) {
        StringBuilder sb = new StringBuilder(numDigits + 10);
        sb.append("{\"v\":");
        for (int i = 0; i < numDigits; i++) {
            sb.append((char) ('1' + (i % 9)));
        }
        sb.append('}');
        return sb.toString().getBytes(StandardCharsets.UTF_8);
    }
}

Impact

A malicious actor can send a JSON document with an arbitrarily long number to an application using the async parser (e.g., in a Spring WebFlux or other reactive application). This can cause:

1. Memory Exhaustion: Unbounded allocation of memory in the TextBuffer to store the number's digits, leading to an OutOfMemoryError.
2. CPU Exhaustion: If the application subsequently calls getBigIntegerValue() or getDecimalValue(), the JVM can be tied up in O(n^2) BigInteger parsing operations, leading to a CPU-based DoS.

Suggested Remediation

The async parsing path should be updated to respect the maxNumberLength constraint. The simplest fix appears to ensure that _valueComplete() or a similar method in the async path calls the appropriate validation methods (resetInt() or resetFloat()) already present in ParserBase, mirroring the behavior of the synchronous parsers.

NOTE: This research was performed in collaboration with rohan-repos

---

jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition

GHSA-72hv-8253-57qq

More information

Details

Summary

The non-blocking (async) JSON parser in jackson-core bypasses the maxNumberLength constraint (default: 1000 characters) defined in StreamReadConstraints. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS).

The standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy.

Details

The root cause is that the async parsing path in NonBlockingUtf8JsonParserBase (and related classes) does not call the methods responsible for number length validation.

• The number parsing methods (e.g., _finishNumberIntegralPart) accumulate digits into the TextBuffer without any length checks.
• After parsing, they call _valueComplete(), which finalizes the token but does not call resetInt() or resetFloat().
• The resetInt()/resetFloat() methods in ParserBase are where the validateIntegerLength() and validateFPLength() checks are performed.
• Because this validation step is skipped, the maxNumberLength constraint is never enforced in the async code path.

PoC

The following JUnit 5 test demonstrates the vulnerability. It shows that the async parser accepts a 5,000-digit number, whereas the limit should be 1,000.

package tools.jackson.core.unittest.dos;

import java.nio.charset.StandardCharsets;

import org.junit.jupiter.api.Test;

import tools.jackson.core.*;
import tools.jackson.core.exc.StreamConstraintsException;
import tools.jackson.core.json.JsonFactory;
import tools.jackson.core.json.async.NonBlockingByteArrayJsonParser;

import static org.junit.jupiter.api.Assertions.*;

/**
 * POC: Number Length Constraint Bypass in Non-Blocking (Async) JSON Parsers
 *
 * Authors: sprabhav7, rohan-repos
 * 
 * maxNumberLength default = 1000 characters (digits).
 * A number with more than 1000 digits should be rejected by any parser.
 *
 * BUG: The async parser never calls resetInt()/resetFloat() which is where
 * validateIntegerLength()/validateFPLength() lives. Instead it calls
 * _valueComplete() which skips all number length validation.
 *
 * CWE-770: Allocation of Resources Without Limits or Throttling
 */
class AsyncParserNumberLengthBypassTest {

    private static final int MAX_NUMBER_LENGTH = 1000;
    private static final int TEST_NUMBER_LENGTH = 5000;

    private final JsonFactory factory = new JsonFactory();

    // CONTROL: Sync parser correctly rejects a number exceeding maxNumberLength
    @​Test
    void syncParserRejectsLongNumber() throws Exception {
        byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);
		
		// Output to console
        System.out.println("[SYNC] Parsing " + TEST_NUMBER_LENGTH + "-digit number (limit: " + MAX_NUMBER_LENGTH + ")");
        try {
            try (JsonParser p = factory.createParser(ObjectReadContext.empty(), payload)) {
                while (p.nextToken() != null) {
                    if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) {
                        System.out.println("[SYNC] Accepted number with " + p.getText().length() + " digits — UNEXPECTED");
                    }
                }
            }
            fail("Sync parser must reject a " + TEST_NUMBER_LENGTH + "-digit number");
        } catch (StreamConstraintsException e) {
            System.out.println("[SYNC] Rejected with StreamConstraintsException: " + e.getMessage());
        }
    }

    // VULNERABILITY: Async parser accepts the SAME number that sync rejects
    @​Test
    void asyncParserAcceptsLongNumber() throws Exception {
        byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);

        NonBlockingByteArrayJsonParser p =
            (NonBlockingByteArrayJsonParser) factory.createNonBlockingByteArrayParser(ObjectReadContext.empty());
        p.feedInput(payload, 0, payload.length);
        p.endOfInput();

        boolean foundNumber = false;
        try {
            while (p.nextToken() != null) {
                if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) {
                    foundNumber = true;
                    String numberText = p.getText();
                    assertEquals(TEST_NUMBER_LENGTH, numberText.length(),
                        "Async parser silently accepted all " + TEST_NUMBER_LENGTH + " digits");
                }
            }
            // Output to console
            System.out.println("[ASYNC INT] Accepted number with " + TEST_NUMBER_LENGTH + " digits — BUG CONFIRMED");
            assertTrue(foundNumber, "Parser should have produced a VALUE_NUMBER_INT token");
        } catch (StreamConstraintsException e) {
            fail("Bug is fixed — async parser now correctly rejects long numbers: " + e.getMessage());
        }
        p.close();
    }

    private byte[] buildPayloadWithLongInteger(int numDigits) {
        StringBuilder sb = new StringBuilder(numDigits + 10);
        sb.append("{\"v\":");
        for (int i = 0; i < numDigits; i++) {
            sb.append((char) ('1' + (i % 9)));
        }
        sb.append('}');
        return sb.toString().getBytes(StandardCharsets.UTF_8);
    }
}

Impact

A malicious actor can send a JSON document with an arbitrarily long number to an application using the async parser (e.g., in a Spring WebFlux or other reactive application). This can cause:

1. Memory Exhaustion: Unbounded allocation of memory in the TextBuffer to store the number's digits, leading to an OutOfMemoryError.
2. CPU Exhaustion: If the application subsequently calls getBigIntegerValue() or getDecimalValue(), the JVM can be tied up in O(n^2) BigInteger parsing operations, leading to a CPU-based DoS.

Suggested Remediation

The async parsing path should be updated to respect the maxNumberLength constraint. The simplest fix appears to ensure that _valueComplete() or a similar method in the async path calls the appropriate validation methods (resetInt() or resetFloat()) already present in ParserBase, mirroring the behavior of the synchronous parsers.

NOTE: This research was performed in collaboration with rohan-repos

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/FasterXML/jackson-core/security/advisories/GHSA-72hv-8253-57qq
• https://github.com/FasterXML/jackson-core/issues/1538
• https://github.com/FasterXML/jackson-core/commit/a004e9789c2cc6b41b379d02d229d58474d9a738
• https://github.com/FasterXML/jackson-core

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

spring-projects/spring-framework (org.springframework:spring-web)

v6.1.0

⭐ New Features

• When using Oracle, JdbcClient.update(KeyHolder) does not work without explicit key column names #​31607
• Introduce way to convert ClientHttpResponse to desired type #​31597
• Property-driven onRefresh exit for AppCDS purpose #​31595
• No Micrometer traceId in JMS listener container errorHandler #​31559
• Register Hibernate @EmbeddableInstantiators registered on JPA embeddables for reflection #​31534
• Improve method validation support for errors on elements within a container #​31530
• Support pattern matching for method names in ControlFlowPointcut #​31435
• Review reachability metadata contributions after GraalVM changes #​31213
• handleEmptyBody of RequestBodyAdvice should apply also when content-type is not set #​30522

🐞 Bug Fixes

• Regression with @EnableJpaAuditing using Spring Boot 3.2-RC2 in native image #​31575
• Retrieving the response body as a List of POJOs fails with RestClient but passes with WebTestClient #​31574
• ExecutorLifecycleDelegate should call ExecutorService.isTerminated() in ?.isRunning() #​31549
• RestTemplate POST to endpoint using Digest Auth no longer works in 6.1 #​31516
• Code generation for constructor arguments must cast null indexed argument value #​31508
• \n in form model when using Jetty 12 client and multipart/form-data #​31361
• Add status handler to recognize unknown status codes outside of 4xx/5? #​31202

📔 Documentation

• Document how to log @Sql scripts and statements #​31589
• Link to KDoc API documentation from Javadoc overview #​31587
• Fix link in Javadoc of ConfigurableMockMvcBuilder #​31542
• Add note about @[Enabled|Disabled]InNativeImage in reference manual #​31438
• Document @DisabledInAotMode in the reference manual #​31437
• Document @Sql class-level execution phase support in the reference manual #​31377
• Document that Micrometer's "error" tag should be preferred vs. legacy "exception" tag #​31514

🔨 Dependency Upgrades

• Upgrade to Context Propagation 1.1.0 #​31599
• Upgrade to Kotlin 1.9.20 #​31539
• Upgrade to Micrometer 1.12.0 #​31556
• Upgrade to Reactor 2023.0.0 #​31557

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Young-Zen, @​duesenklipper, @​izeye, @​k-seth, and @​wakingrufus

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

This PR was generated by Mend Renovate. View the repository job log.

[snyk-io]

⛔ Snyk checks have failed. 2 issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (2)
⛔	Open Source Security	0	2	0	0	2 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.