Bump org.jacoco:jacoco-maven-plugin from 0.8.12 to 0.8.14

[dependabot]

Bumps org.jacoco:jacoco-maven-plugin from 0.8.12 to 0.8.14.

Release notes

Sourced from org.jacoco:jacoco-maven-plugin's releases.

0.8.14

New Features

• JaCoCo now officially supports Java 25 (GitHub #1950).
• Experimental support for Java 26 class files (GitHub #1870).
• Branches added by the Kotlin compiler for default argument number 33 or higher are filtered out during generation of report (GitHub #1655).
• Part of bytecode generated by the Kotlin compiler for elvis operator that follows safe call operator is filtered out during generation of report (GitHub #1814, #1954).
• Part of bytecode generated by the Kotlin compiler for more cases of chained safe call operators is filtered out during generation of report (GitHub #1956).
• Part of bytecode generated by the Kotlin compiler for invocations of suspendCoroutineUninterceptedOrReturn intrinsic is filtered out during generation of report (GitHub #1929).
• Part of bytecode generated by the Kotlin compiler for suspending lambdas with parameters is filtered out during generation of report (GitHub #1945).
• Part of bytecode generated by the Kotlin compiler for suspending functions and lambdas with suspension points that return inline value class is filtered out during generation of report (GitHub #1871).
• Part of bytecode generated by the Kotlin Compose compiler plugin for pausable composition is filtered out during generation of report (GitHub #1911).
• Methods generated by the Kotlin serialization compiler plugin are filtered out (GitHub #1885, #1970, #1971).

Fixed bugs

• Fixed handling of implicit else clause of when with String subject in Kotlin (GitHub #1813, #1940).
• Fixed handling of implicit default clause of switch by String in Java when compiled by ECJ (GitHub #1813, #1940). Fixed handling of exceptions in chains of safe call operators in Kotlin (GitHub #1819).

Non-functional Changes

• JaCoCo now depends on ASM 9.9 (GitHub #1965).

0.8.13

New Features

• JaCoCo now officially supports Java 23 and Java 24 (GitHub #1757, #1631, #1867).
• Experimental support for Java 25 class files (GitHub #1807).
• Calculation of line coverage for Kotlin inline functions (GitHub #1670).
• Calculation of line coverage for Kotlin inline functions with reified type parameter (GitHub #1670, #1700).
• Calculation of coverage for Kotlin JvmSynthetic functions (GitHub #1700).
• Part of bytecode generated by the Kotlin Compose compiler plugin is filtered out during generation of report (GitHub #1616).
• Part of bytecode generated by the Kotlin compiler for inline value classes is filtered out during generation of report (GitHub #1475).
• Part of bytecode generated by the Kotlin compiler for suspending lambdas without suspension points is filtered out during generation of report (GitHub #1283).
• Part of bytecode generated by the Kotlin compiler for when expressions and statements with nullable enum subject is filtered out during generation of report (GitHub #1774).
• Part of bytecode generated by the Kotlin compiler for when expressions and statements with nullable String subject is filtered out during generation of report (GitHub #1769).
• Part of bytecode generated by the Kotlin compiler for chains of safe call operators is filtered out during generation of report (GitHub #1810, #1818).
• Method getEntries generated by the Kotlin compiler for enum classes is filtered out during generation of report (GitHub #1625).
• Methods generated by the Kotlin compiler for constructors and functions with JvmOverloads annotation are filtered out (GitHub #1768).

Fixed bugs

• Fixed interpretation of Kotlin SMAP (GitHub #1525).
• File extensions are preserved in HTML report in case of clashes of normalized file names (GitHub #1660).

Non-functional Changes

• JaCoCo build now uses Maven Wrapper and requires at least Maven 3.9.9 (GitHub #1708, #1707, #1681).
• JaCoCo now depends on ASM 9.8 (GitHub #1862).
• More context information when IllegalArgumentException occurs during reading of zip file (GitHub #1833).

Commits

• 2eb2483 Prepare release v0.8.14
• de76181 KotlinSerializableFilter should filter more methods (#1971)
• 89c4bd5 Fix NPE in KotlinSerializableFilter (#1970)
• 0981128 Migrate release staging to the Central Publisher Portal (#1968)
• d07bc6b Add filter for bytecode generated by Kotlin serialization compiler plugin (#1...
• 5e35fd5 Upgrade maven-dependency-plugin to 3.9.0 (#1966)
• c2fe5cc Upgrade ASM to 9.9 (#1965)
• b0f8e23 KotlinSafeCallOperatorFilter should filter "unoptimized" safe call followed b...
• c7bd3f4 Upgrade spotless-maven-plugin to 3.0.0 (#1961)
• faa289d KotlinSafeCallOperatorFilter should not be affected by presence of pseudo ins...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

PR Validation Results

✅ Code Coverage

Coverage report generated. Download artifacts to view details.

Quality Checks

• ✅ Compilation successful
• ✅ All tests passed
• ✅ Code coverage meets requirements
• ✅ SpotBugs analysis passed
• ✅ PMD analysis passed
• ✅ Checkstyle passed
• ✅ JavaDoc generation successful

Note: Full build artifacts are available for download.

[github-actions]

📊 Quality Gate Report

Tool	Status	Metrics
🧪 JaCoCo	✅	Instruction: 98%, Branch: 98%
🐛 SpotBugs	✅	0 bugs found
📝 PMD	✅	0 violations
✓ Checkstyle	✅	0 errors
🔒 OWASP	✅	0 vulnerabilities (0 critical, 0 high)

✅ All quality gates passed!

📋 View detailed reports

Download the quality-reports artifact from this workflow run for detailed analysis.

• JaCoCo: target/site/jacoco/index.html
• SpotBugs: target/spotbugsXml.xml
• PMD: target/pmd.xml
• Checkstyle: target/checkstyle-result.xml
• OWASP: target/dependency-check-report.xml

[sfloess]

🤖 AUTONOMOUS PR REVIEW

Quality Score: 82/100
AI Consensus: approve (85% agreement)
Impact Risk: low
Auto-Decision: COMMENT

Decision Reasoning

Impact Analysis

• Breaking Changes: 0

• High-Risk Changes: 0

• Files Impacted: 1

• Missing Tests: 0

AI Reviews (3 models)

opus - approve (90/100, 95% confidence)

• Issues: 2 (0 critical)
  • low: The PR title 'Bump org.jacoco:jacoco-maven-plugin from 0.8.12 to 0.8.14' does not follow the project's conventional commits format. It should be prefixed with 'chore:' (e.g., 'chore: Bump org.jacoco:jacoco-maven-plugin from 0.8.12 to 0.8.14'). The Validate PR Title CI check fails because of this. This is a Dependabot limitation, not a code issue -- the PR title needs manual editing.
  • low: The jacoco-maven-plugin version is hardcoded in two places (line 146 in build/plugins and line 422 in reporting/plugins) rather than using a Maven property variable like other plugin versions in this project. This is a pre-existing issue, not introduced by this PR, but could be addressed to maintain consistency with the rest of the pom.xml.
  • ✅ Both occurrences of the JaCoCo plugin version (build and reporting sections) are correctly updated in lockstep from 0.8.12 to 0.8.14, preventing version mismatch.
  • ✅ CI quality-check confirms JaCoCo 0.8.14 works correctly with the project: 'All coverage checks have been met' with 98% instruction and 98% branch coverage, exceeding the 93%/86% thresholds.

sonnet - request_changes (60/100, 85% confidence)

• Issues: 3 (0 critical)
  • high: JaCoCo 0.8.14 upgrade causes breaking change in check goal execution. When 'mvn jacoco:check' is run from command line (as in .github/workflows/pr-validation.yml line 45), it fails with error: 'The parameters rules for goal org.jacoco:jacoco-maven-plugin:0.8.14:check are missing or invalid'. The rules configuration in pom.xml lines 168-198 is only available within the execution block bound to the verify phase, not for standalone goal invocation.
  • high: PR validation workflow fails at 'Check Code Coverage' step (line 45) due to incompatibility with JaCoCo 0.8.14. The standalone 'mvn jacoco:check' command cannot access the rules configuration defined in the execution block of pom.xml.
  • low: File mode change from 755 (executable) to 644 (non-executable). While this is a sensible change for a POM file, it's unrelated to the dependency update and should be in a separate commit.
  • ✅ Updates JaCoCo from 0.8.12 to 0.8.14, gaining official Java 25 support and experimental Java 26 support
  • ✅ Includes improved Kotlin compiler bytecode filtering (elvis operator, suspending functions, Compose plugin)

haiku - approve (95/100, 98% confidence)

• Issues: 1 (0 critical)
  • low: File mode change from 100755 to 100644 (executable removed). This is correct for a non-executable XML file and is a positive cleanup.
  • ✅ Clean, minimal dependency update: only version numbers changed from 0.8.12 to 0.8.14
  • ✅ No breaking API changes between versions - JaCoCo 0.8.13 and 0.8.14 maintain backward compatibility

Arbiter Decision (opus)

This is a straightforward Dependabot patch-level version bump of jacoco-maven-plugin from 0.8.12 to 0.8.14. The diff is minimal (2 lines changed in pom.xml, both version numbers). The JaCoCo 0.8.14 release contains only bug fixes, Kotlin filter improvements, and new Java version support with no breaking changes.

All CI failures are pre-existing infrastructure issues unrelated to this PR: (1) Validate PR Title fails because Dependabot's title format does not match Conventional Commits -- identical failure on PRs 206 and 208; (2) SonarCloud Scan fails due to a project/token configuration error; (3) quality-check fails in XML parsing steps of the CI workflow script, not in actual quality checks. The quality gate report itself confirms all checks passed: 0 SpotBugs bugs, 0 PMD violations, 0 Checkstyle errors, 0 OWASP vulnerabilities, 98% instruction and branch coverage.

Model 2 requested changes likely due to the red CI status, but investigation proves those failures are systemic across all Dependabot PRs and not caused by this change. Models 1 and 3 correctly identified this as a safe, routine dependency update. The 2-to-1 approval consensus with high confidence (95% and 98%) from the approving models supports approval.

Key Concerns:

• CI failures are pre-existing infrastructure issues (PR title validation, SonarCloud config, quality-check XML parsing) that affect all Dependabot PRs equally and are unrelated to this change
• The quality gate report confirms all actual quality checks passed: 0 bugs, 0 violations, 0 errors, 0 vulnerabilities, 98% coverage
• Model 2's request_changes appears driven by CI failure status rather than substantive code concerns -- all three other Dependabot PRs show identical failure patterns

---

Automated review by pr-review-auto workflow
Approval Criteria: Quality ≥ 90, Consensus ≥ 85%, No breaking changes

[sfloess]

🤖 AUTONOMOUS PR REVIEW

Quality Score: 92/100
AI Consensus: approve (92% agreement)
Impact Risk: low
Auto-Decision: APPROVE

Decision Reasoning

High quality (92/100), 92% consensus, low risk

Impact Analysis

• Breaking Changes: 0

• High-Risk Changes: 0

• Files Impacted: 1

• Missing Tests: 0

AI Reviews (3 models)

opus - approve (90/100, 95% confidence)

• Issues: 3 (0 critical)
  • low: The JaCoCo plugin version is hardcoded in two locations (line 146 in build/plugins and line 422 in reporting/plugins) rather than using a Maven property variable in the section. This is a pre-existing concern, not introduced by this PR, but it would reduce maintenance burden to centralize the version. Other plugins in this project already follow this pattern (e.g., maven-compiler-plugin, maven-surefire-plugin).
  • low: The diff changes the file mode from 100755 (executable) to 100644 (non-executable). This is the correct permission for a pom.xml file and is actually an improvement, though it is incidental to the version bump.
  • low: CI failures are all pre-existing and unrelated to this change: (1) quality-check fails because maven-site-plugin 3.12.1 has a Doxia Sitetools version incompatibility, (2) Validate PR Title fails because Dependabot title format does not match conventional commit requirements, (3) SonarCloud scan fails likely due to Dependabot secret access restrictions. The Maven build itself (mvn verify) succeeded with BUILD SUCCESS, all 287 tests passed, and coverage is at 98%/98% instruction/branch.
  • ✅ The version bump from 0.8.12 to 0.8.14 is a safe, non-breaking minor version upgrade. JaCoCo has fully supported Java 17 since version 0.8.8, and 0.8.14 maintains full backward compatibility.
  • ✅ Both occurrences of the JaCoCo version in pom.xml (build plugins at line 146 and reporting plugins at line 422) are updated consistently -- no stale references remain.

sonnet - approve (92/100, 95% confidence)

• Issues: 1 (0 critical)
  • low: File mode changed from 755 (executable) to 644 (non-executable). While pom.xml should not be executable, this is a cosmetic issue that corrects improper permissions.
  • ✅ Clean dependency version upgrade with no breaking changes
  • ✅ JaCoCo 0.8.14 maintains full Java 17 compatibility (official support for Java 17 was added in 0.8.8, and 0.8.14 supports up to Java 25)

haiku - approve (95/100, 98% confidence)

• Issues: 0 (0 critical)

  • ✅ Pure maintenance upgrade with no breaking changes
  • ✅ All unit and integration tests pass successfully

Arbiter Decision (opus)

All three reviewing models recommend approval with high confidence (90-95 scores, 95-98% confidence). The PR is a straightforward Dependabot patch version bump of org.jacoco:jacoco-maven-plugin from 0.8.12 to 0.8.14.

Key findings from analysis:

1. The diff is minimal and correct: only two version strings changed in pom.xml (build plugins at line 146 and reporting plugins at line 422), both updated in lockstep to prevent version mismatch.

2. The upgrade brings meaningful improvements: official Java 25 support, experimental Java 26 support, improved Kotlin bytecode filtering, bug fixes for String-based switch/when handling, and an ASM 9.9 dependency update.

3. CI failures are NOT caused by this PR. All failures are pre-existing infrastructure issues confirmed by checking other PRs and the main branch: SonarCloud project binding error ("Project not found"), PR title validation (Dependabot format vs. conventional commits), and quality-check workflow configuration issues. The quality gate report posted as a PR comment explicitly shows ALL quality gates passed: 98% instruction coverage, 98% branch coverage, 0 SpotBugs bugs, 0 PMD violations, 0 Checkstyle errors, 0 OWASP vulnerabilities.

4. The one model (sonnet) that suggested request_changes cited a concern about "mvn jacoco:check" breaking with 0.8.14 -- but the actual CI quality gate report contradicts this, showing JaCoCo ran successfully and all coverage thresholds were met. This concern appears to be speculative and was disproven by actual CI results.

5. Minor issues noted (PR title format, file mode change 755 to 644, version not extracted to a Maven property) are all pre-existing or cosmetic concerns that do not warrant blocking this patch version dependency update.

Key Concerns:

• CI failures (quality-check, PR validation, SonarCloud) are all pre-existing infrastructure issues unrelated to this PR -- confirmed by checking other PRs and the main branch showing identical failures
• The JaCoCo plugin version is hardcoded in two places in pom.xml rather than using a Maven property -- this is a pre-existing issue and not introduced by this PR
• PR title does not follow conventional commits format (missing 'chore:' prefix) -- this is a Dependabot limitation and can be fixed by editing the title before merge
• File mode change from 755 to 644 on pom.xml is a minor cosmetic change included in the diff

---

Automated review by pr-review-auto workflow
Approval Criteria: Quality ≥ 90, Consensus ≥ 85%, No breaking changes

[sfloess]

🤖 AUTONOMOUS PR REVIEW

Quality Score: 92/100
AI Consensus: approve (92% agreement)
Impact Risk: low
Auto-Decision: APPROVE

Decision Reasoning

High quality (92/100), 92% consensus, low risk

Impact Analysis

• Breaking Changes: 0

• High-Risk Changes: 0

• Files Impacted: 1

• Missing Tests: 0

AI Reviews (3 models)

opus - approve (90/100, 95% confidence)

• Issues: 3 (0 critical)
  • low: The JaCoCo plugin version is hardcoded in two locations (line 146 in build/plugins and line 422 in reporting/plugins) rather than using a Maven property variable in the section. This is a pre-existing concern, not introduced by this PR, but it would reduce maintenance burden to centralize the version. Other plugins in this project already follow this pattern (e.g., maven-compiler-plugin, maven-surefire-plugin).
  • low: The diff changes the file mode from 100755 (executable) to 100644 (non-executable). This is the correct permission for a pom.xml file and is actually an improvement, though it is incidental to the version bump.
  • low: CI failures are all pre-existing and unrelated to this change: (1) quality-check fails because maven-site-plugin 3.12.1 has a Doxia Sitetools version incompatibility, (2) Validate PR Title fails because Dependabot title format does not match conventional commit requirements, (3) SonarCloud scan fails likely due to Dependabot secret access restrictions. The Maven build itself (mvn verify) succeeded with BUILD SUCCESS, all 287 tests passed, and coverage is at 98%/98% instruction/branch.
  • ✅ The version bump from 0.8.12 to 0.8.14 is a safe, non-breaking minor version upgrade. JaCoCo has fully supported Java 17 since version 0.8.8, and 0.8.14 maintains full backward compatibility.
  • ✅ Both occurrences of the JaCoCo version in pom.xml (build plugins at line 146 and reporting plugins at line 422) are updated consistently -- no stale references remain.

sonnet - approve (92/100, 95% confidence)

• Issues: 1 (0 critical)
  • low: File mode changed from 755 (executable) to 644 (non-executable). While pom.xml should not be executable, this is a cosmetic issue that corrects improper permissions.
  • ✅ Clean dependency version upgrade with no breaking changes
  • ✅ JaCoCo 0.8.14 maintains full Java 17 compatibility (official support for Java 17 was added in 0.8.8, and 0.8.14 supports up to Java 25)

haiku - approve (95/100, 98% confidence)

• Issues: 0 (0 critical)

  • ✅ Pure maintenance upgrade with no breaking changes
  • ✅ All unit and integration tests pass successfully

Arbiter Decision (opus)

All three reviewing models recommend approval with high confidence (90-95 scores, 95-98% confidence). The PR is a straightforward Dependabot patch version bump of org.jacoco:jacoco-maven-plugin from 0.8.12 to 0.8.14.

Key findings from analysis:

1. The diff is minimal and correct: only two version strings changed in pom.xml (build plugins at line 146 and reporting plugins at line 422), both updated in lockstep to prevent version mismatch.

2. The upgrade brings meaningful improvements: official Java 25 support, experimental Java 26 support, improved Kotlin bytecode filtering, bug fixes for String-based switch/when handling, and an ASM 9.9 dependency update.

3. CI failures are NOT caused by this PR. All failures are pre-existing infrastructure issues confirmed by checking other PRs and the main branch: SonarCloud project binding error ("Project not found"), PR title validation (Dependabot format vs. conventional commits), and quality-check workflow configuration issues. The quality gate report posted as a PR comment explicitly shows ALL quality gates passed: 98% instruction coverage, 98% branch coverage, 0 SpotBugs bugs, 0 PMD violations, 0 Checkstyle errors, 0 OWASP vulnerabilities.

4. The one model (sonnet) that suggested request_changes cited a concern about "mvn jacoco:check" breaking with 0.8.14 -- but the actual CI quality gate report contradicts this, showing JaCoCo ran successfully and all coverage thresholds were met. This concern appears to be speculative and was disproven by actual CI results.

5. Minor issues noted (PR title format, file mode change 755 to 644, version not extracted to a Maven property) are all pre-existing or cosmetic concerns that do not warrant blocking this patch version dependency update.

Key Concerns:

• CI failures (quality-check, PR validation, SonarCloud) are all pre-existing infrastructure issues unrelated to this PR -- confirmed by checking other PRs and the main branch showing identical failures
• The JaCoCo plugin version is hardcoded in two places in pom.xml rather than using a Maven property -- this is a pre-existing issue and not introduced by this PR
• PR title does not follow conventional commits format (missing 'chore:' prefix) -- this is a Dependabot limitation and can be fixed by editing the title before merge
• File mode change from 755 to 644 on pom.xml is a minor cosmetic change included in the diff

---

Automated review by pr-review-auto workflow
Approval Criteria: Quality ≥ 90, Consensus ≥ 85%, No breaking changes

[sfloess]

✅ Auto-approved: Quality 92/100, 92% AI consensus, low risk