fix(deps): update shadow from 9.0.0-rc2 to 9.4.1

[figure-renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
com.gradleup.shadow	9.0.0-rc2 -> 9.4.1
com.gradleup.shadow:shadow-gradle-plugin	9.0.0-rc2 -> 9.4.1

---

Release Notes

GradleUp/shadow (com.gradleup.shadow)

v9.4.1

Compare Source

Changed

• Update Kotlin to 2.3.20. (#​1978)

v9.4.0

Compare Source

Added

• Support Isolated Projects. (#​1139)

Changed

• Allow opting out of adding shadowJar into assemble lifecycle. (#​1939)

  shadow {
    // Disable making `assemble` task depend on `shadowJar`. This is enabled by default.
    addShadowJarToAssembleLifecycle = false
  }

• Stop catching ZipException when writing entries. (#​1970)

Fixed

• Fix interaction with Gradle artifact transforms. (#​1345)
• Fix skipStringConstants per-relocator behavior in mapName. (#​1968)
• Fix failing for non-existent class directories. (#​1976)

v9.3.2

Compare Source

Changed

• Stop moving gradleApi dependency from api to compileOnly for Gradle 9.4+. (#​1919)
• Log warnings for duplicates in the final JAR. (#​1931)

Fixed

• Fix relocation patterns not included in task fingerprint. (#​1933)

v9.3.1

Compare Source

Fixed

• Use ASM from jdependency embedded. (#​1898)
  This fixes potential classpath conflicts when using Shadow with other plugins that also use ASM.

v9.3.0

Compare Source

Added

• Add PatternFilterableResourceTransformer to simplify pattern based ResourceTransformers. (#​1849)
• Expose patternSet of ServiceFileTransformer as public. (#​1849)
• Expose patternSet of ApacheLicenseResourceTransformer as public. (#​1850)
• Expose patternSet of ApacheNoticeResourceTransformer as public. (#​1850)
• Expose patternSet of PreserveFirstFoundResourceTransformer as public. (#​1855)
• Support overriding output path of ApacheNoticeResourceTransformer. (#​1851)
• Add new merge strategy Fail to PropertiesFileTransformer. (#​1856)
• Add FindResourceInClasspath task to help with debugging issues with merged duplicate resources. (#​1860)
• Add MergeLicenseResourceTransformer. (#​1858)
• Add DeduplicatingResourceTransformer to deduplicate on path and content. (#​1859)
• Support disabling Kotlin module metadata remapping. (#​1875)

  tasks.shadowJar {
    // Disable remapping of Kotlin module metadata (`.kotlin_module`) files. This is enabled by default.
    enableKotlinModuleRemapping = false
  }

Changed

• Change the group of startShadowScripts from application to other. (#​1797)
• Update ASM and jdependency to support Java 26. (#​1799)
• Bump min Gradle requirement to 9.0.0. (#​1801)
• Deprecate PreserveFirstFoundResourceTransformer.resources. (#​1855)
• Make the output of PropertiesFileTransformer reproducible. (#​1861)
• Deprecate ShadowCopyAction. (#​1876)
  It should not be used as a public API. Will be made internal in a future release.

Fixed

• Fix Develocity integration when Isolated Projects enabled. (#​1836)

v9.2.2

Compare Source

Fixed

• Fix the regression of registering ShadowJar tasks without ShadowPlugin applied. (#​1787)

v9.2.1

Compare Source

Added

• Support relocating Groovy extensions in Module descriptors. (#​1705)
• Add extensions for Iterable<Relocator>. (#​1710)
• Support relocating list of types in RelocatorRemapper. (#​1714)
• Add mainClass property into ShadowJar. (#​1722)

  tasks.shadowJar {
    // This property will be used as a fallback if there is no explicit `Main-Class` attribute set.
    mainClass = "my.Main"
  }

• Honor executableDir and applicationName in application extension. (#​1740)
  This is useful when you want to customize the output directory of the start scripts and the application distribution.
• Provide more task accessors in ShadowApplicationPlugin.Companion. (#​1771)
• Support relocating Kotlin module files. (#​1539)
  The current implementation relocates all properties in KotlinModuleMetadata but KmModule.optionalAnnotationClasses due to very limited usage of it. See more discussion here.
• Allow overriding BUNDLING_ATTRIBUTE in GMM. (#​1773)
  The org.gradle.dependency.bundling in shadowed JAR's Gradle Module Metadata is set to shadowed by default. You can override it for now by:

  shadow {
    bundlingAttribute = Bundling.EMBEDDED
  }

Changed

• Merge Groovy Module descriptors into the modern META-INF path. (#​1706)
  The Gradle Module descriptors (org.codehaus.groovy.runtime.ExtensionModule files) defined under META-INF/services/
  and META-INF/groovy will be merged into META-INF/groovy/org.codehaus.groovy.runtime.ExtensionModule.
• Move injecting Class-Path manifest attr logic from doFirst into copy. (#​1720)
• Move injecting Main-Class manifest attr logic from doFirst into copy. (#​1724)
• Deprecate InheritManifest and inheritFrom. (#​1722)

  tasks.shadowJar {
    // Before (deprecated):
    manifest.inheritFrom(tasks.jar.get().manifest)
    // After (recommended):
    manifest.from(tasks.jar.get().manifest)
  
    // Note: You don't need to inherit the manifest from `jar` task as it's done by default for the `shadowJar` task.
    // But if you want to inherit the manifest for your custom `ShadowJar` task, you still need to do it explicitly.
  }

• Use default JavaExec error message when main class is not set. (#​1725)
• Update RelocatorRemapper class pattern to cover more Java method descriptors. (#​1731)
• Stop using start script templates bundled in Shadow. (#​1738)
• Bump min Java requirement to 17. (#​1744)
• Require most optional properties non-null. (#​1745)
• Make assemble depend on shadowJar even if it is added later. (#​1766)

Fixed

• Fix excluding dependencies whose versions contain +. (#​1597)

v9.2.0

Compare Source

v9.1.0

Compare Source

Added

• Allow opting out of shadowRuntimeElements variant. (#​1662)

  shadow {
    // Disable publishing `shadowRuntimeElements` as an optional variant of the `java` component.
    addShadowVariantIntoJavaComponent = false
  }
  
  // configuration must be done in the `afterEvaluate` phase, you cannot access `shadowRuntimeElements` before that.
  val javaComponent = components["java"] as AdhocComponentWithVariants
  javaComponent.withVariantsFromConfiguration(configurations["shadowRuntimeElements"]) {
    // See more details in https://github.com/GradleUp/shadow/pull/1662.
    skip()
  }

• Allow opting out of TARGET_JVM_VERSION_ATTRIBUTE. (#​1674)

  shadow {
    // Disable adding `TargetJvmVersion` attribute into the Gradle Module Metadata of the shadowed jar.
    addTargetJvmVersionAttribute = false
  }

• Allow opting out of Multi-Release attribute. (#​1675)

  tasks.shadowJar {
    // Disable adding `Multi-Release` attribute into the manifest of the shadowed jar.
    addMultiReleaseAttribute = false
  }

Changed

• Don't inject TargetJvmVersion attribute when automatic JVM targeting is disabled. (#​1666)
• Do not write modified class files for no-op relocations. (#​1694)
• BREAKING CHANGE: The introduction of some afterEvaluate usages may cause configuration issues in rare cases.

v9.0.2

Compare Source

Fixed

• Fix missing space in ApacheNoticeResourceTransformer preamble causing malformed NOTICE header. (#​1623)
• Fix using ApacheNoticeResourceTransformer without projectName. (#​1627)
• Fix extra indents of ApacheNoticeResourceTransformer output. (#​1628)
• Fix resolving BOM dependencies when minimize is enabled. (#​1637)

v9.0.1

Compare Source

[!NOTE]
If you are upgrading from 8.x versions, please read 9.0.0 release notes first.

[!TIP]
You can diff the shadowed JARs when upgrading from 8.x to 9.x by using Diffuse.
If there are any things missing in the changelog or the doc site, please report them to us.

Changed

• Improve the error message for empty mainClassName. (#​1601)
• Default duplicatesStrategy back to EXCLUDE. (#​1617)
  • This strategy is consistent with 8.x series behavior, which is more compatible for most users upgrading.
  • For most ResourceTransformer users, you need to override the strategy to INCLUDE to make them work.
  • Strongly suggest declaring the duplicatesStrategy explicitly in your ShadowJar configuration to avoid confusion.
  • See more details about the strategies at Handling Duplicates Strategy.

Fixed

• Fix the regression of can't shadow directory inputs. (#​1606)
• Fix the regression of MinimizeDependencyFilter. (#​1611)

v9.0.0

Compare Source

[!WARNING]
This release is a major update from the 8.x series. The plugin has been fully rewritten in Kotlin, bringing
significant improvements to maintainability, performance, and future extensibility. It introduces many new features,
enhancements, and bug fixes, and includes several breaking changes. Please review the changelog carefully and consult
the new doc site before upgrading.

If you really don't want to upgrade, you can still use the 8.3.x, which is also Gradle 9 compatible. But no additional features or crucial bug fixes will be included in the 8.x line.

[!TIP]
You can diff the shadowed JARs when upgrading from 8.x to 9.x by using Diffuse.
If there are any things missing in the changelog or the doc site, please report them to us.

Added

• Add .md support to the Apache License and Notice transformers. (#​1041)
• Sync SimpleRelocator changes from maven-shade-plugin. (#​1076)
• Support configuring separator in AppendingTransformer. (#​1169)
  This is useful for handling files like resources/application.yml.
• Exclude module-info.class in Multi-Release folders by default. (#​1177)
• Inject TargetJvmVersion attribute for Gradle Module Metadata. (#​1199)
• Sync ShadowApplicationPlugin with ApplicationPlugin. (#​1224)
• Inject Multi-Release manifest attribute if any dependency contains it. (#​1239)
• Mark Transformer as throwing IOException. (#​1248)
• Reduce duplicate SimpleRelocator to improve performance. (#​1271)
• Compat Kotlin Multiplatform plugin. (#​1280)
• Add Kotlin DSL examples in docs. (#​1306)
• Support using type-safe dependency accessors in ShadowJar.dependencies. (#​1322)
• Support command line options for ShadowJar. (#​1365)
  --enable-auto-relocation Enables auto relocation of packages in the dependencies.
  --no-enable-auto-relocation Disables option --enable-auto-relocation.
  --fail-on-duplicate-entries Fails build if the ZIP entries in the shadowed JAR are duplicate.
  --no-fail-on-duplicate-entries Disables option --fail-on-duplicate-entries.
  --minimize-jar Minimizes the jar by removing unused classes.
  --no-minimize-jar Disables option --minimize-jar.
  --relocation-prefix Prefix used for auto relocation of packages in the dependencies.
  --rerun Causes the task to be re-run even if up-to-date.
• Support skipping string constant remapping. (#​1401)
• Let assemble depend on shadowJar. (#​1524)
• Fail build when inputting AAR files or using Shadow with AGP. (#​1530)
• Add PreserveFirstFoundResourceTransformer. (#​1548)
  This is useful when you set shadowJar.duplicatesStrategy = DuplicatesStrategy.INCLUDE and
  want to ensure that only the first found resource is included in the final JAR.
• Fail build if the ZIP entries in the shadowed JAR are duplicate. (#​1552)
  This feature is controlled by the shadowJar.failOnDuplicateEntries property, which is false by default.
  Related to setting duplicatesStrategy = DuplicatesStrategy.FAIL but there are some differences:
  • It only checks the entries in the shadowed jar, not the input files.
  • It works with setting duplicatesStrategy to any value.
  • It provides a stricter fallback check before the JAR is created.

Changed

• BREAKING CHANGE: Rewrite this plugin in Kotlin. (#​1012)
• BREAKING CHANGE: Migrate Transformers to using lazy properties. (#​1036)
• BREAKING CHANGE: Migrate ShadowJar to using lazy properties. (#​1044)
• BREAKING CHANGE: Resolve Configuration directly in DependencyFilter. (#​1045)
• BREAKING CHANGE: Migrate SimpleRelocator to using lazy properties. (#​1047)
• BREAKING CHANGE: Some public getters have been updated in SimpleRelocator. (#​1079)
• BREAKING CHANGE: Migrate all ListProperty usages to SetProperty. (#​1103)
  Some public List parameters are also changed to Set.
• BREAKING CHANGE: Mark RelocatorRemapper as internal. (#​1227)
• BREAKING CHANGE: Bump min Java requirement to 11. (#​1242)
• BREAKING CHANGE: Move tracking unused classes logic out of ShadowCopyAction. (#​1257)
• BREAKING CHANGE: Move DependencyFilter into tasks package. (#​1272)
• BREAKING CHANGE: Change the default duplicatesStrategy from EXCLUDE to INCLUDE. (#​1233)
  • ShadowJar recognized EXCLUDE as the default, but the other strategies didn't work properly.
  • Now ShadowJar honors INCLUDE as the default, and aligns all the strategy behaviors with the Gradle side.
  • Some ResourceTransformers (e.g. ServiceFileTransformer) do not work with EXCLUDE, as it will exclude duplicate resources to be merged.
  • Duplicate entries might be bundled due to this change, but you can reduce them by using the newly added PreserveFirstFoundResourceTransformer.
  • Use filesMatching to override the default strategy for specific files.
  • Set failOnDuplicateEntries = true to fail the build to check for duplicate entries.
  • See more details at Handling Duplicates Strategy.
  • Note: The default duplicatesStrategy is changed back to EXCLUDE in 9.0.1 release.
• BREAKING CHANGE: Align the behavior of ShadowTask.from with Gradle's AbstractCopyTask.from. (#​1233)
  In the previous versions, ShadowTask.from would always unzip the files before processing them, which caused serial
  issues that are hard to fix. Now it behaves like Gradle's AbstractCopyTask.from, which means it will not unzip
  the files, only copy the files as-is. If you still want to shadow the unzipped files, try out something like:

    tasks.shadowJar {
      // Unzip the files before pass them to `from` by using `zipTree`.
      from(zipTree(files('path/to/your/file.zip')))
    }

  or

    dependencies {
      // Add the files to `implementation` configuration, Shadow will unzip them automatically.
      implementation(files('path/to/your/file.zip'))
    }

• BREAKING CHANGE: Rename Transformer to ResourceTransformer. (#​1288)
  Aims to better align with the name org.apache.maven.plugins.shade.resource.ResourceTransformer.java
  and to distinguish itself from org.gradle.api.Transformer.java.
• BREAKING CHANGE: Mark DefaultInheritManifest as internal. (#​1303)
• BREAKING CHANGE: Polish ShadowSpec. (#​1307)
  • Return values of ShadowSpec functions are changed to Unit to avoid confusion.
  • ShadowSpec no longer extends CopySpec.
  • Overload relocate, transform and things for better usability in Kotlin.
• BREAKING CHANGE: Remove redundant types from function returning. (#​1308)
• BREAKING CHANGE: Rename ShadowJar's isEnableRelocation to enableAutoRelocation. (#​1541)
• BREAKING CHANGE: Some const values in ShadowBasePlugin and ShadowJavaPlugin are moved. (#​1589)
  You can find them in ShadowJar, ShadowApplicationPlugin, and ShadowJavaPlugin.
• Replace deprecated SelfResolvingDependency with FileCollectionDependency. (#​1114)
• Update start script templates. (#​1183)
• Mark more Transformers cacheable. (#​1210)
• Mark ShadowJar.dependencyFilter as @Input. (#​1206)
• Polish startShadowScripts task registering. (#​1216)
• Refactor file visiting logic in StreamAction, handle file unzipping via Project.zipTree. (#​1233)
• Migrate doc sites to MkDocs. (#​1302)
• runShadow no longer depends on installShadowDist. (#​1353)
• Move the group of ShadowJar from shadow to build. (#​1355)
• In-development snapshots are now published to the Central Portal Snapshots repository. (#​1414)
• Expose AbstractDependencyFilter from internal to public. (#​1538)
  You can access it via com.github.jengelman.gradle.plugins.shadow.tasks.DependencyFilter.AbstractDependencyFilter.
• Mark Action parameters as non-null. (#​1555)
• Use BufferedOutputStream when writing the Zip file to improve performance. (#​1580)

Fixed

• Fix single Log4j2Plugins.dat isn't included into fat jar. (#​1039)
• Fail builds if processing bad jars. (#​1146)
• Fix Log4j2PluginsCacheFileTransformer not working for merging Log4j2Plugins.dat files. (#​1175)
• Support overriding mainClass provided by JavaApplication. (#​1182)
• Fix ShadowJar not being successful after includes or excludes are changed. (#​1200)
• Honor DuplicatesStrategy. (#​1233)
• Honor unzipped jars via from. (#​1233)
• Fix the last modified time of shadowed directories. (#​1277)
• Fix relocation exclusion for file patterns like kotlin/kotlin.kotlin_builtins. (#​1313)
• Allow using file trees of JARs together with the configuration cache. (#​1441)

Removed

• BREAKING CHANGE: Some public getters and setters have been removed in SimpleRelocator. (#​1079)
• BREAKING CHANGE: Remove JavaJarExec, now use JavaExec directly for runShadow task. (#​1197)
• BREAKING CHANGE: ServiceFileTransformer.ServiceStream has been removed. (#​1218)
• BREAKING CHANGE: Remove KnowsTask as it's useless. (#​1236)
• BREAKING CHANGE: Remove BaseStreamAction. (#​1258)
• BREAKING CHANGE: Remove ShadowStats. (#​1264)
• BREAKING CHANGE: Remove ShadowCopyAction.ArchiveFileTreeElement and RelativeArchivePath. (#​1233)
• BREAKING CHANGE: Remove TransformerContext.getEntryTimestamp. (#​1245)
• BREAKING CHANGE: Reduce dependency and project overloads in DependencyFilter. (#​1328)
• BREAKING CHANGE: Remove ShadowSpec. (#​1560)
• BREAKING CHANGE: Remove Relocator.ROLE. (#​1563)
• BREAKING CHANGE: Remove deprecated ShadowExtension.component. (#​1586)

Migration Example

8.x

tasks.shadowJar {
  isEnableRelocation = true
  duplicatesStrategy = DuplicatesStrategy.EXCLUDE
  mergeServiceFiles()
  from("foo.jar")
}

9.x

tasks.shadowJar {
  // `isEnableRelocation` has been renamed to `enableAutoRelocation`.
  enableAutoRelocation = true

  // If you want to make `mergeServiceFiles` or most resource transformers work, you should set the `duplicatesStrategy` to `INCLUDE`.
  // Because `EXCLUDE` will exclude extra service files to be merged.
  duplicatesStrategy = DuplicatesStrategy.INCLUDE
  mergeServiceFiles()
  // Optionally, you can enable the new `failOnDuplicateEntries` property to fail the build if there are duplicate entries.
  failOnDuplicateEntries = true

  // If you want to keep the `foo.jar` as-is (zipped), you can use the `from` method directly. This is different from the previous.
  from("foo.jar")
  // If you want to unzip the `foo.jar` before processing, you can use `zipTree` to unzip it.
  from(zipTree("foo.jar"))
}

If you used Shadow for merging service files, the following steps are recommended:

1. Make sure to leave duplicatesStrategy as INCLUDE or WARN.
2. Apply mergeServiceFiles or ServiceFileTransformer stuff as you did in your previous setup.
3. Diff the JARs from upgrading or not.
4. Remove the extra entries that are added by INCLUDE by eachFile, filesMatching, or PreserveFirstFoundResourceTransformer.
5. Diff the JARs again, and check that only the entries you want to preserve remain.
6. Optionally, if you want a stricter check for the shadowed JAR entries, enable failOnDuplicateEntries.
   This can also ensure the regressions are caught in the future.

See more details about the fixed DuplicatesStrategy behaviors at Handling Duplicates Strategy.

New Contributors

• @​KurdTt made their first contribution in https://github.com/GradleUp/shadow/pull/1039
• @​SimonMarquis made their first contribution in https://github.com/GradleUp/shadow/pull/1194
• @​andsel made their first contribution in https://github.com/GradleUp/shadow/pull/1241
• @​vlsi made their first contribution in https://github.com/GradleUp/shadow/pull/1490
• @​Jonathing made their first contribution in https://github.com/GradleUp/shadow/pull/1422
• @​DreierF made their first contribution in https://github.com/GradleUp/shadow/pull/1502
• @​gabrielfeo made their first contribution in https://github.com/GradleUp/shadow/pull/1505

Full Changelog: GradleUp/shadow@8.3.9...9.0.0

v9.0.0-rc3

Compare Source

[!IMPORTANT]
This release is a major update from the 8.3.x series. The plugin has been fully rewritten in Kotlin, bringing significant improvements to maintainability, performance, and future extensibility. It introduces many new features, enhancements, and bug fixes, and includes several breaking changes. Please review the changelog carefully and consult the new doc site before upgrading.

Added

• Add PreserveFirstFoundResourceTransformer. (#​1548)
  This is useful when you set shadowJar.duplicatesStrategy = DuplicatesStrategy.INCLUDE (the default behavior) and want to ensure that only the first found resource is included in the final JAR.
• Fail build if the ZIP entries in the shadowed JAR are duplicate. (#​1552)
  This feature is controlled by the shadowJar.failOnDuplicateEntries property, which is false by default.
  Related to setting duplicatesStrategy = DuplicatesStrategy.FAIL but there are some differences:
  • It only checks the entries in the shadowed jar, not the input files.
  • It works with setting duplicatesStrategy to any value.
  • It provides a more strict check before the JAR is created.

Changed

• BREAKING CHANGE: Rename ShadowJar's enableRelocation to enableAutoRelocation. (#​1541)
  The Command Line options are also updated:
  --enable-auto-relocation Enables auto relocation of packages in the dependencies.
  --no-enable-auto-relocation Disables option --enable-auto-relocation.
  --fail-on-duplicate-entries Fails build if the ZIP entries in the shadowed JAR are duplicate.
  --no-fail-on-duplicate-entries Disables option --fail-on-duplicate-entries.
  --minimize-jar Minimizes the jar by removing unused classes.
  --no-minimize-jar Disables option --minimize-jar.
  --relocation-prefix Prefix used for auto relocation of packages in the dependencies.
  --rerun Causes the task to be re-run even if up-to-date.
• Mark Action parameters as non-null. (#​1555)

Removed

• Remove JVM default compat stuff. (#​1556)

---

Configuration

📅 Schedule: Branch creation - "on Monday" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[orca-security-us]

Orca Security Scan Summary

Status	Check	Issues by priority
Passed	Secrets	0   0   0   0	View in Orca

[github-actions]

Test Results

0 files   - 1  0 suites   - 1   0s ⏱️ -4s
0 tests  - 5  0 ✅  - 5  0 💤 ±0  0 ❌ ±0 
0 runs   - 9  0 ✅  - 9  0 💤 ±0  0 ❌ ±0 

Results for commit 6fabedf. ± Comparison against base commit 7271d98.

♻️ This comment has been updated with latest results.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Shadow 9.3.x requires Gradle 9.0 but project uses 8.x

High Severity

Shadow plugin 9.3.2 requires a minimum Gradle version of 9.0.0 (introduced in the 9.3.0 release notes: "Bump min Gradle requirement to 9.0.0"), but gradle-wrapper.properties specifies Gradle 8.14.3. This version incompatibility will break the build at plugin apply time. The last Shadow version compatible with Gradle 8.x is 9.2.x.

 

[cursor]

Version mismatch between PR description and actual code

Medium Severity

The PR title and description state the shadow plugin is being updated to 9.3.1, but the actual version set in libs.versions.toml is 9.3.2. This discrepancy suggests either the intended version was 9.3.1 and a typo was introduced, or the description wasn't updated to reflect the actual change. The release notes in the PR body also only cover up to v9.3.1.