[Security] Bump mybatis from 3.4.5 to 3.5.6

[dependabot-preview]

Bumps mybatis from 3.4.5 to 3.5.6.

Release notes

Sourced from mybatis's releases.

mybatis-3.5.6

Enhancements:

• A new configuration option defaultSqlProviderType is added. The specified class will be used as the SQL provider when the value() or type() is not specified in @SelectProvider, @UpdateProvider, @InsertProvider and @DeleteProvider. #1951
• A new transaction isolation level SQL_SERVER_SNAPSHOT is added to TransactionIsolationLevel enum to support the MS SQL Server specific isolation level SNAPSHOT. #1973
• When there is no JEP-290 serialization filter defined, a WARN level message is logged on deserializing object streams. #2079

Bug fixes:

• Possible NoSuchPropertyException under heavy load. #1648
• Possible InvalidPathException when registering type aliases by specifying package name. #1974
• Possible OutOfMemoryError when using BlockingCache. #2044

There is no known backward incompatible change since 3.5.5.

Please see the 3.5.6 milestone page for the complete list of changes.

mybatis-3.5.5

Enhancements:

• You can reference single List or Collection type parameter using its actual parameter name when useActualParamName is enabled. #1237
• You can specify resultMap in @One and @Many. #1771
• You can specify columnPrefix in @One and @Many. #1829
• A new option shrinkWhitespacesInSql to remove extra whitespaces in SQL. #1901

Bug fixes:

• Possible IllegalArgumentException when using @CacheNamespaceRef . #1719
• Mapper method invocation should be non-blocking (work around JDK-8161372). #1929

There is no known backward incompatible change since 3.5.4.

Please see the 3.5.5 milestone page for the complete list of changes.

mybatis-3.5.4

Enhancements:

• You can now omit unnecessary @Results and @ConstructorArgs annotation. #1698

Bug fixes:

• Avoid invoking hashCode() method when setting auto-generated keys. #1719
• Possible ResultMapException when using nested select. #1551
• Possible incorrect TypeVariable resolution in TypeParameterResolver. #1794
• Race condition in TypeHandlerRegistry. #1819

There is no known backward incompatible change since 3.5.３.

Please see the 3.5.4 milestone page for the complete list of changes.

Commits

• 4f286a7 [maven-release-plugin] prepare release mybatis-3.5.6
• d89b300 Merge pull request #2079 from harawata/desrialization-warning
• 9caf480 Output warning when deserializing object stream with no JEP-290 filter defined
• 6c6756c Merge pull request #2076 from nothingzhl/test
• c6df26c Replaced two more URLs, updated license headers, removed extra blank lines
• f1c6172 replace all failure doc url link
• 3ffa307 clean failure doc url link
• 24d672c Merge pull request #2064 from tacoo/parsing
• 50c83b4 Merge pull request #2072 from mybatis/dependabot/maven/org.mockito-mockito-ju...
• 56ed918 Merge pull request #2073 from mybatis/dependabot/maven/org.mockito-mockito-co...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

"Deserialization errors in MyBatis"

MyBatis before 3.5.6 mishandles deserialization of object streams leading to potential cache poisoning.

Affected versions: ["< 3.5.6"]