From 8f7c30e95ec78797a31e3ee335dbcd8b3827b75f Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Fri, 1 May 2026 16:46:52 -0700 Subject: [PATCH 1/6] Update Apache Mina & Spring to the latest versions (#1359) --- gradle.properties | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/gradle.properties b/gradle.properties index 4c59a7fa57..b593a0b65f 100644 --- a/gradle.properties +++ b/gradle.properties @@ -96,8 +96,8 @@ antlrST4Version=4.3.4 #Unifying version used by DISCVR and Premium apacheDirectoryVersion=2.1.7 -#Transitive dependency of Apache directory: 2.0.18 contains some regressions -apacheMinaVersion=2.2.5 +#Transitive dependency of Apache directory +apacheMinaVersion=2.2.7 # Usually matches the version specified as a Spring Boot dependency (see springBootVersion below) apacheTomcatVersion=11.0.21 @@ -294,9 +294,9 @@ slf4jLog4jApiVersion=2.0.17 snappyJavaVersion=1.1.10.8 # Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version -springBootVersion=4.0.5 +springBootVersion=4.0.6 # This usually matches the Spring Framework version dictated by springBootVersion -springVersion=7.0.6 +springVersion=7.0.7 springAiVersion=2.0.0-M4 sqliteJdbcVersion=3.51.1.0 From dc0d1e5a1f4063e436f19b2eb2f6880ce37bc3fc Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Mon, 4 May 2026 14:26:11 -0700 Subject: [PATCH 2/6] Update PostgreSQL JDBC driver (#1360) --- gradle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index b593a0b65f..b6c45444f6 100644 --- a/gradle.properties +++ b/gradle.properties @@ -271,7 +271,7 @@ poiVersion=5.4.0 pollingWatchVersion=0.2.0 -postgresqlDriverVersion=42.7.9 +postgresqlDriverVersion=42.7.11 quartzVersion=2.5.2 From e17e4f142bb2ec81fb3206283ace3a7d8c14cece Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Mon, 4 May 2026 17:53:11 -0700 Subject: [PATCH 3/6] Upgrade to Spring AI 2.0.0-M5 (#1352) * Upgrade to Spring AI 2.0.0-M5 * Bump Spring Framework and Spring Boot as well --- build.gradle | 3 --- gradle.properties | 5 +---- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/build.gradle b/build.gradle index a5224c25f8..43d3040ee6 100644 --- a/build.gradle +++ b/build.gradle @@ -352,9 +352,6 @@ allprojects { force "org.springframework:spring-messaging:${springVersion}" force "org.springframework:spring-webflux:${springVersion}" - // spring-ai dependency. Force to mitigate a CVE. - force "io.modelcontextprotocol.sdk:mcp:${modelContextProtocolVersion}" - // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}" diff --git a/gradle.properties b/gradle.properties index b6c45444f6..8d4400135b 100644 --- a/gradle.properties +++ b/gradle.properties @@ -252,9 +252,6 @@ lombokVersion=1.18.42 luceneVersion=10.3.2 -# Spring-AI dependency that's showing a CVE -modelContextProtocolVersion=1.1.1 - mssqlJdbcVersion=13.2.1.jre11 objenesisVersion=1.0 @@ -297,7 +294,7 @@ snappyJavaVersion=1.1.10.8 springBootVersion=4.0.6 # This usually matches the Spring Framework version dictated by springBootVersion springVersion=7.0.7 -springAiVersion=2.0.0-M4 +springAiVersion=2.0.0-M5 sqliteJdbcVersion=3.51.1.0 From bac40d291115222068047598ce5ece7b759ef245 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Thu, 7 May 2026 16:23:18 -0700 Subject: [PATCH 4/6] Update log4j2 (#1366) --- gradle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index 8d4400135b..385ec07d85 100644 --- a/gradle.properties +++ b/gradle.properties @@ -246,7 +246,7 @@ jxlVersion=2.6.3 kaptchaVersion=2.3 -log4j2Version=2.25.4 +log4j2Version=2.26.0 lombokVersion=1.18.42 From 3ed81492911699dc9591e054d73d0b42ead96d9f Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Wed, 13 May 2026 11:47:50 -0700 Subject: [PATCH 5/6] Update Spring AI and Tomcat dependencies (#1374) --- gradle.properties | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gradle.properties b/gradle.properties index 385ec07d85..b5ba586dce 100644 --- a/gradle.properties +++ b/gradle.properties @@ -100,7 +100,7 @@ apacheDirectoryVersion=2.1.7 apacheMinaVersion=2.2.7 # Usually matches the version specified as a Spring Boot dependency (see springBootVersion below) -apacheTomcatVersion=11.0.21 +apacheTomcatVersion=11.0.22 # (mothership) -> json-path -> json-smart -> accessor-smart # (core) -> graalvm @@ -294,7 +294,7 @@ snappyJavaVersion=1.1.10.8 springBootVersion=4.0.6 # This usually matches the Spring Framework version dictated by springBootVersion springVersion=7.0.7 -springAiVersion=2.0.0-M5 +springAiVersion=2.0.0-M6 sqliteJdbcVersion=3.51.1.0 From 8d5d0b6bc86e38c5975e3d965e59b118e29ad202 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Fri, 22 May 2026 17:07:49 -0700 Subject: [PATCH 6/6] Back-port false positive suppression (#1386) --- dependencyCheckSuppression.xml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml index 7a3b3b8e8c..4a7c257d00 100644 --- a/dependencyCheckSuppression.xml +++ b/dependencyCheckSuppression.xml @@ -304,4 +304,16 @@ cpe:/a:vmware:vmware_server + + + + ^pkg:maven/com\.networknt/json-schema-validator@.*$ + CVE-2025-15104 + +