Skip to content

Bump org.mockito:mockito-core from 3.12.4 to 5.23.0#43

Open
dependabot[bot] wants to merge 2 commits into
masterfrom
dependabot/gradle/org.mockito-mockito-core-5.23.0
Open

Bump org.mockito:mockito-core from 3.12.4 to 5.23.0#43
dependabot[bot] wants to merge 2 commits into
masterfrom
dependabot/gradle/org.mockito-mockito-core-5.23.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown
Contributor

Bumps org.mockito:mockito-core from 3.12.4 to 5.23.0.

Release notes

Sourced from org.mockito:mockito-core's releases.

v5.23.0

NOTE: Breaking change for Android

The mockito-android artifact has a breaking change: tests now require a device or emulator based on API 28+ (Android P). This is to enable new support for mocking Kotlin classes. See #3788 for more details.


Changelog generated by Shipkit Changelog Gradle Plugin

5.23.0

v5.22.0

Changelog generated by Shipkit Changelog Gradle Plugin

5.22.0

v5.21.0

Changelog generated by Shipkit Changelog Gradle Plugin

5.21.0

... (truncated)

Commits
  • a231205 Fix StackOverflowError with AbstractList after using mockSingleton (#3790)
  • f6a91a6 Replace mockito-android mock maker implementation with dexmaker-mockito-inlin...
  • aa2298a fix: make spotless happy
  • a6729d6 chore: update BDDMockito with jspecify annotation
  • bb83c92 chore: move jspecify as a compile only dependency
  • 47a4695 chore: add jspecify with minimal change. Fixes #3503
  • 25f1395 Add core API to enable Kotlin singleton mocking (#3762)
  • ef9ee55 Avoids mocking private static methods, as well as package-private static meth...
  • d16fcfc Bump graalvm/setup-graalvm from 1.4.4 to 1.4.5 (#3780)
  • 27eb8a3 Clarify RETURNS_MOCKS behavior with sealed abstract enums (Java 15+) (#3773)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [org.mockito:mockito-core](https://github.com/mockito/mockito) from 3.12.4 to 5.23.0.
- [Release notes](https://github.com/mockito/mockito/releases)
- [Commits](mockito/mockito@v3.12.4...v5.23.0)

---
updated-dependencies:
- dependency-name: org.mockito:mockito-core
  dependency-version: 5.23.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Jul 7, 2026
The version bump in build.gradle wasn't reflected in the locked
testCompileClasspath/testRuntimeClasspath configurations, so the build
failed with dependency-locking violations. Regenerated lib/gradle.lockfile
via `gradle dependencies --write-locks`, which also pulls in the byte-buddy
1.17.7 and objenesis 3.3 versions mockito-core 5.23.0 actually requires.
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedmaven/​org.mockito/​mockito-core@​3.12.4 ⏵ 5.23.03610090100100

View full report

Copy link
Copy Markdown
Contributor

Review summary: safe to merge (with a fix applied)

Mockito is test-scope only (testImplementation), so this bump can't affect anything shipped to consumers of the SDK — it only affects whether tests compile/run.

Usage audit

Mockito is used in 10 test files, all through the same small, stable subset of the API: mock(), when().thenReturn()/.thenThrow()/.thenAnswer(), verify() (with times()/never()), reset(), ArgumentMatchers.any()/anyString()/anyBoolean()/eq(), and ArgumentCaptor. Every mocked type is a plain interface (IExecute, IProvideDecrypt, IProvideCagePublicKeyFromHttpApi, Apache HttpClient's HttpRequest/HttpContext, etc.) — nothing mocks a final class, a static method, or a constructor, and nothing uses @Mock/MockitoExtension/spy()/PowerMock.

Changelog review (3.12.4 → 5.23.0)

  • v4.0.0 removed several long-deprecated APIs (org.mockito.Matchers, anyObject/anyVararg, verifyZeroInteractions, the old org.mockito.runners JUnit runners, etc.) — none of these are used in this repo.
  • v5.0.0 raised the minimum JDK to 11 and switched the default mock maker to the inline (ByteBuddy-based) implementation instead of subclassing. This only changes behavior for mocking final classes/static methods, which this repo never does, so it's a no-op here in practice.
  • v5.1.0–5.23.0: bug fixes and new opt-in features (Kotlin singleton mocking, GraalVM support, JDK 25 fixes) — no further breaking changes relevant to this codebase.

Issue found and fixed

The bump alone didn't actually build: this repo uses Gradle dependency locking (dependencyLocking { lockAllConfigurations() }), and lib/gradle.lockfile still pinned org.mockito:mockito-core:3.12.4. Dependabot updated build.gradle but not the lockfile, so ./gradlew test failed immediately with "Cannot find a version of 'org.mockito:mockito-core' that satisfies the version constraints."

Pushed a follow-up commit that regenerates lib/gradle.lockfile (gradle dependencies --write-locks), which also picks up the transitive bumps Mockito 5.23.0 actually needs: byte-buddy/byte-buddy-agent 1.11.13 → 1.17.7, and objenesis 3.2 → 3.3 (test runtime only). No other files changed.

Verification

Ran the full test suite before and after: both master (old Mockito) and this branch (new Mockito + lockfile fix) produce 121 tests, 15 failures — the 15 failures are pre-existing EndToEndTest-based integration tests that hit the live Evervault API and require TEST_EV_APP_ID/TEST_EV_API_KEY (unavailable in this sandbox), unrelated to this change. Every unit test that actually exercises Mockito passes cleanly on 5.23.0.

Recommendation: safe to merge once CI (which does have network/credentials) confirms green, particularly the JDK 8 leg in the test matrix — Mockito 5 needs JDK 11+ to run, but that's about the JVM executing the test task, not the library's own sourceCompatibility (still 1.8), so it should be unaffected; worth a quick glance at that CI leg regardless.


Generated by Claude Code

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: maven org.mockito:mockito-core is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: lib/gradle.lockfilemaven/org.mockito/mockito-core@5.23.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.mockito/mockito-core@5.23.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Development

Successfully merging this pull request may close these issues.

2 participants