Bump junit from 4.12 to 4.13.1

[dependabot]

Bumps junit from 4.12 to 4.13.1.

Release notes

Sourced from junit's releases.

JUnit 4.13.1

Please refer to the release notes for details.

JUnit 4.13

Please refer to the release notes for details.

JUnit 4.13 RC 2

Please refer to the release notes for details.

JUnit 4.13 RC 1

Please refer to the release notes for details.

JUnit 4.13 Beta 3

Please refer to the release notes for details.

JUnit 4.13 Beta 2

Please refer to the release notes for details.

JUnit 4.13 Beta 1

Please refer to the release notes for details.

Commits

• 1b683f4 [maven-release-plugin] prepare release r4.13.1
• ce6ce3a Draft 4.13.1 release notes
• c29dd82 Change version to 4.13.1-SNAPSHOT
• 1d17486 Add a link to assertThrows in exception testing
• 543905d Use separate line for annotation in Javadoc
• 510e906 Add sub headlines to class Javadoc
• 610155b Merge pull request from GHSA-269g-pwp5-87pp
• b6cfd1e Explicitly wrap float parameter for consistency (#1671)
• a5d205c Fix GitHub link in FAQ (#1672)
• 3a5c6b4 Deprecated since jdk9 replacing constructor instance of Double and Float (#1660)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sfloess]

🤖 AUTONOMOUS PR REVIEW

Quality Score: 12/100
AI Consensus: request_changes (5% agreement)
Impact Risk: low
Auto-Decision: REJECT

Decision Reasoning

Low quality score (12/100)

Impact Analysis

• Breaking Changes: 0

• High-Risk Changes: 0

• Files Impacted: 0

• Missing Tests: 0

AI Reviews (3 models)

opus - request_changes (15/100, 97% confidence)

• Issues: 4 (2 critical)
  • critical: The PR is completely obsolete. The main branch has already migrated from JUnit 4 (junit:junit) to JUnit 5 (org.junit.jupiter:junit-jupiter 5.10.2). This PR attempts to bump the old JUnit 4 dependency from 4.12 to 4.13.1, which no longer exists in the current pom.xml. The change has no valid target.
  • critical: The PR has merge conflicts (mergeable status is CONFLICTING). The pom.xml on main has been completely restructured since this branch was created, making a clean merge impossible.
  • medium: An unrelated CODE_OF_CONDUCT.md file (76 lines) is bundled into what should be a dependency-only version bump PR. This commit is from a different author (repo owner, dated 2019-07-10) and violates the single-purpose PR principle. It should be submitted as a separate PR if still desired.
  • ✅ The original intent was good -- Dependabot correctly identified that JUnit 4.13.1 includes a security fix (GHSA-269g-pwp5-87pp for TemporaryFolder vulnerability)
  • ✅ SonarCloud code analysis check passed on the PR

sonnet - request_changes (15/100, 100% confidence)

• Issues: 6 (5 critical)
  • critical: PR is completely obsolete - attempts to bump JUnit 4.12 → 4.13.1 but main branch already uses JUnit Jupiter 5.10.2. Project has moved from JUnit 4 to JUnit 5.
  • critical: PR branch pom.xml contains outdated project metadata (artifactId: jSecurity, version: 1.0.0) while main branch has artifactId: diskwipe-java, version: 1.0 with complete modern Maven configuration
  • critical: Merging this PR would cause catastrophic regression - would replace current JUnit 5 dependency (org.junit.jupiter:junit-jupiter:5.10.2) with ancient JUnit 4.13.1, breaking all existing tests
  • ✅ Dependabot attempted to address a known security vulnerability (JUnit 4.12 → 4.13.1 fixes CVE-2020-15250)
  • ✅ PR included CODE_OF_CONDUCT.md which may have been useful at the time

haiku - request_changes (5/100, 99% confidence)

• Issues: 15 (9 critical)
  • critical: Complete project regression: pom.xml reverted from 185 lines to 18 lines. Removes all build plugins (compiler, surefire, jacoco, maven-enforcer, javadoc, jar), coverage requirements, SCM configuration, and distribution management. Project metadata completely changed from 'diskwipe-java' to 'jSecurity'. This is not a junit bump—it's a revert to an ancient baseline.
  • critical: Source file deleted. The branch contains jsecurity/disk/CleanDisk.java (old package) instead of current diskwipe/CleanDisk.java. Complete codebase replacement with old project code.
  • critical: Source file deleted and replaced with old jsecurity implementation.
  • ✅ The junit version bump itself (4.12 to 4.13.1) is technically correct if kept in isolation

Arbiter Decision (opus)

All three reviewing models unanimously recommend request_changes with very high confidence (97-100%) and extremely low quality scores (5-15/100). Upon independent analysis, this consensus is entirely justified. The PR is fundamentally obsolete: the project has already migrated from JUnit 4 (junit:junit) to JUnit 5 (org.junit.jupiter:junit-jupiter 5.10.2) on main. This PR attempts to bump an old JUnit 4 dependency from 4.12 to 4.13.1, which no longer exists in the project's pom.xml. Additionally, the PR has merge conflicts (mergeable status is CONFLICTING), is nearly 6 years old (created October 2020), includes an unrelated CODE_OF_CONDUCT.md file in its diff due to the stale branch base, and even the target version 4.13.1 would be outdated (4.13.2 was the final JUnit 4 release). This PR should be closed, not merged.

Key Concerns:

• The project has already migrated from JUnit 4 to JUnit 5 (org.junit.jupiter:junit-jupiter 5.10.2) -- the dependency this PR modifies no longer exists in pom.xml
• The PR has merge conflicts (mergeable status: CONFLICTING) and cannot be merged as-is
• The PR is nearly 6 years old (created 2020-10-13) and is completely stale
• The PR diff includes an unrelated CODE_OF_CONDUCT.md file due to the ancient branch base
• Even if JUnit 4 were still in use, version 4.13.1 is outdated -- 4.13.2 was the final JUnit 4 release
• This Dependabot PR should be closed rather than updated, since the underlying dependency was removed entirely

---

Automated review by pr-review-auto workflow
Approval Criteria: Quality ≥ 90, Consensus ≥ 85%, No breaking changes

[sfloess]

⚠️ Changes requested: Low quality score (12/100)

[sfloess]

🤖 INTERACTIVE PR REVIEW

Quality Score: 15/100
AI Consensus: request_changes (15% agreement)
Impact Risk: low
Auto-Decision: REJECT

Decision Reasoning

Low quality score (15/100)

Impact Analysis

• Breaking Changes: 0

• High-Risk Changes: 0

• Files Impacted: 0

• Missing Tests: 0

AI Reviews (3 models)

opus - request_changes (15/100, 97% confidence)

• Issues: 3 (1 critical)
  • critical: The PR targets a JUnit 4.12 dependency that no longer exists in the main branch. The project has already migrated to JUnit Jupiter 5.10.2. This PR is completely stale and cannot be merged -- GitHub reports the mergeable status as CONFLICTING.
  • medium: A CODE_OF_CONDUCT.md file is bundled into what should be a pure dependency version bump PR. This is unrelated scope creep and should be in a separate PR if desired.
  • low: Even if the JUnit 4 dependency still existed, bumping from 4.12 to 4.13.1 is itself outdated. JUnit 4.13.2 was the final JUnit 4 release (fixing CVE-2020-15250 related to TemporaryFolder), and the project has already moved past JUnit 4 entirely.
  • ✅ Dependabot correctly identified a security vulnerability (GHSA-269g-pwp5-87pp / CVE-2020-15250) in JUnit 4.12 related to TemporaryFolder permissions
  • ✅ The CI check (SonarCloud) did pass on the branch at the time it was created

sonnet - request_changes (15/100, 95% confidence)

• Issues: 5 (3 critical)
  • critical: PR title claims to bump JUnit 4.12 to 4.13.1, but the diff shows adding CODE_OF_CONDUCT.md file instead. Complete mismatch between PR description and actual changes.
  • critical: Project currently uses JUnit 5 (junit-jupiter 5.10.2), making a JUnit 4 bump completely obsolete and incompatible. This PR would introduce JUnit 4 alongside JUnit 5, creating dependency conflicts.
  • high: The CODE_OF_CONDUCT.md file shown in the diff was already committed to the repository in July 2019 (commit 999f0eb). This appears to be duplicate/stale content.
  • ✅ JUnit 4.13.1 was a security fix release addressing CVE-2020-15250 (TemporaryFolder path traversal vulnerability)
  • ✅ The CODE_OF_CONDUCT.md file follows the Contributor Covenant standard, which is a widely-adopted community standard

haiku - request_changes (15/100, 95% confidence)

• Issues: 5 (3 critical)
  • critical: PR targets obsolete JUnit 4 (junit:junit:4.13.1) while main branch uses JUnit 5 (junit-jupiter:5.10.2). This is a breaking downgrade that will break the project.
  • critical: Project artifact ID mismatch: branch uses 'jSecurity' (old project name) while main uses 'diskwipe-java' (current project name). This indicates stale branch.
  • high: File already exists on main branch with newer version (2.1 of Contributor Covenant). PR would revert it to outdated version (1.x based on content). Unnecessary file conflict.
  • ✅ Dependabot correctly identified JUnit 4.12 security vulnerability and attempted patch (4.13.1)
  • ✅ PR branch is properly named following conventional branches (dependabot/maven/...)

Arbiter Decision (opus)

All three models unanimously scored this PR at 15/100 with high confidence (95-97%), requesting changes. Their assessment is correct. This PR is completely obsolete and should be closed rather than merged. The project has already migrated from JUnit 4 to JUnit 5 (Jupiter 5.10.2) on the main branch, making this JUnit 4.12-to-4.13.1 bump entirely irrelevant. The PR has merge conflicts (GitHub reports CONFLICTING status), was created nearly 6 years ago (October 2020) by Dependabot, and the project has since undergone a major rename from jdiskwipe to diskwipe-java. Additionally, the PR bundles an unrelated CODE_OF_CONDUCT.md file (76 lines). There is no value in merging or updating this PR -- it should simply be closed.

Key Concerns:

• The PR is completely obsolete: the project has already migrated from JUnit 4 (junit:junit) to JUnit 5 (org.junit.jupiter:junit-jupiter 5.10.2), making this JUnit 4.12-to-4.13.1 bump irrelevant.
• The PR has merge conflicts (GitHub reports CONFLICTING mergeable status) because the pom.xml has diverged significantly since this PR was created.
• The PR is nearly 6 years old (created October 2020) and the project has undergone major restructuring including a rename from jdiskwipe to diskwipe-java.
• The PR includes an unrelated CODE_OF_CONDUCT.md file (76 added lines) bundled with the dependency bump.
• This PR should be closed outright rather than updated -- there is no path to making it useful given the JUnit 5 migration already completed on main.

---

Automated review by pr-review-auto workflow
Approval Criteria: Quality ≥ 90, Consensus ≥ 85%, No breaking changes

[sfloess]

⚠️ Changes requested: Low quality score (15/100)