chore: upgrade dependencies (@actions/core, cache, glob, http-client, tool-cache, xmlbuilder2)

[Copilot]

Summary

Upgrades the following npm dependencies and resolves vulnerabilities:

Package	From	To
@actions/core	^1.10.0	^2.0.3
@actions/cache	^5.0.1	^5.0.5
@actions/glob	^0.5.0	^0.5.1
@actions/http-client	^2.2.3	^3.0.2
@actions/tool-cache	^2.0.1	^3.0.1
xmlbuilder2	^2.4.0	^4.0.3

Changes

• Updated package.json dependency versions
• Ran npm install to update package-lock.json
• Ran npm audit fix — resolved all vulnerabilities (0 remaining)
• Ran licensed cache to update license metadata for new/updated packages
• Added argparse to the reviewed list in .licensed.yml (uses Python Software Foundation License, detected as other by licensed)
• licensed status passes: 52 dependencies checked, 0 errors found
• Rebuilt dist/ bundles

[Copilot]

Pull request overview

This PR upgrades key npm dependencies used by the setup-java GitHub Action (notably @actions/* toolkit packages and xmlbuilder2) to address security vulnerabilities, and refreshes associated lockfile, bundled dist/ output, and license metadata to match the updated dependency graph.

Changes:

• Bumped @actions/* dependencies and xmlbuilder2 in package.json and updated package-lock.json accordingly.
• Updated .licenses/ entries to reflect added/removed/transitively-changed dependencies and license sources.
• Updated .licensed.yml to mark newly “other”-detected dependencies (e.g., argparse) as reviewed.

Reviewed changes

Copilot reviewed 27 out of 31 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
package.json	Updates top-level dependency versions for the Action runtime.
package-lock.json	Updates the resolved dependency tree, including new transitive deps and engine/license metadata.
.licensed.yml	Adds argparse to the reviewed list to satisfy licensed checks.
.licenses/npm/xmlbuilder2.dep.yml	Updates xmlbuilder2 license metadata for v4 (including license source filename).
.licenses/npm/undici.dep.yml	Bumps undici license metadata to match the new resolved version.
.licenses/npm/strnum.dep.yml	Bumps strnum license metadata to match the new resolved version.
.licenses/npm/path-expression-matcher.dep.yml	Updates license metadata for newly introduced transitive dependency.
.licenses/npm/js-yaml.dep.yml	Updates js-yaml license metadata to match the new resolved major version.
.licenses/npm/fast-xml-parser.dep.yml	Updates fast-xml-parser license metadata to match the resolved version.
.licenses/npm/fast-xml-builder.dep.yml	Updates fast-xml-builder license metadata to match the resolved version.
.licenses/npm/brace-expansion.dep.yml	Updates brace-expansion license metadata to match the resolved version.
.licenses/npm/argparse.dep.yml	Updates argparse metadata and embeds PSF license text (detected as other).
.licenses/npm/@actions/http-client.dep.yml	Adds updated license metadata for @actions/http-client v3.
Removed .licenses entries (uuid, undici-5.29.0, sprintf-js, esprima, @types/node, @fastify/busboy, old @actions/*)	Removes license metadata for dependencies no longer present in the resolved production dependency set.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

@actions/core@2 and @actions/tool-cache@3 pull in @actions/exec@2 and @actions/io@2, but this action still pins @actions/exec@^1.0.4 and @actions/io@^1.0.2. This results in multiple major versions of the same toolkit libraries being installed/bundled (larger dist/, harder to reason about which implementation is used). Consider upgrading the direct dependencies to the matching major versions (and adjusting any API usage if needed) so the toolkit stack is aligned.