Sourced from org.owasp:dependency-check-maven's releases.

Version 12.2.1

Refer to the CHANGELOG.md for information about improvements and upgrade notes.

Sourced from org.owasp:dependency-check-maven's changelog.

Version 12.2.1 (2026-04-11)

-
• build: improve GHA workflow experience for forks (#8285)
-
• build: use maven jdk toolchains to build with Java 25; test against Java 11/17/21/25 (#8292)
-
• chore: avoid use of parent pom and maven properties where unnecessary (#8322)
-
• chore: bump java development to 25.0 (#8365)
-
• chore: fix Charset warnings; preferring typed charsets (#8326)
-
• chore: fix Maven scm tags after 12.2.1-SNAPSHOT bump (#8265)
-
• chore: pin GitHub actions to specific SHAs rather than mutable tags (#8381)
-
• chore: remove unused properties and schemas (#8378)
-
• docs: define schema locations in XML examples (#8254)
-
• docs: document external data sources and hostnames (#8219)
-
• docs: ensure OSS Index URL override is consistently documented (#8338)
-
• docs: fix minor typo in README (#8246)
-
• fix(core): correct xml schema validation handling without needing external access (#8272)
-
• fix(deps): upgrade slf4j and logback (#8306)
-
• fix(test): disable pnpm analyzer during test (#8305)
-
• fix: Correct published/hosted suppressions namespace header and indent (#8258)
-
• fix: Suppress noisy WARN logging from Apache Lucene within Maven and Ant plugins (#8248)
-
• fix: #8140 AssemblyAnalyzer version resolution issue (#8352)
-
• fix: #8140 fix version resolution
-
• fix: #8140 hint azure_identity_library_for_.net
-
• fix: #8356 narrow down VersionFilterAnalyzer scope to JAR files (#8358)
-
• fix: correct parsing for CVSSv4 strings with Provider Urgency (#8377)
-
• fix: evidence source in Retire JS analyzer (#8303)
-
• fix: exclude deprecations from Yarn Berry audit results (#8380)
-
• fix: improve PEAnalyzer reliability by migrating to maintained PE/COFF 4J library fork (#8245)
-
• fix: improve configuration consistency (casing) (#8355)
-
• fix: improve logging of unexpected Java Errors during processing of NVD (#8250)
-
• fix: raw type warning in ProcessReader (#8324)
-
• fix: suppress false positives for zabbix-utils #8087 (#8218)
-
• fix: update docs (#8405)
-
• fix: warn if deprecated configs are used (#8366)
-
• test: Make tests locale independent (#8328)
-
• test: #8140 reproduce current behavior
-
• test: avoid polluting test classpaths with sample dependencies to be scanned (#8267)

See the full listing of changes

• bda36b8 build: prepare release v12.2.1
• ef83e7b docs: prepare release 12.2.1
-
• 09af10d fix: update docs (#8405)
-
• 3562775 build(deps): bump golang from 1.26.1-alpine to 1.26.2-alpine (#8403)
• 9ef93be build(deps): bump golang from 1.26.1-alpine to 1.26.2-alpine
• ca79bd5 build(deps-dev): bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.8.2 ...
-
• 6b58069 build(deps): bump apache.ant.version from 1.10.15 to 1.10.16 (#8401)
-
• 91c6972 fix: correct parsing for CVSSv4 strings with Provider Urgency (#8377)
-
• 267e7eb build(deps): bump the actions-deps group with 2 updates (#8394)
-
• 53f58ab build(deps): bump org.codehaus.plexus:plexus-utils from 4.0.2 to 4.0.3 (#8389)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)