fix: upgrade vulnerable transitive dependencies (nimbus-jose-jwt, woodstox, jettison)

[Zjianru]

What's the purpose of this PR

Upgrade transitive dependency versions to fix known CVEs reported in #5386.

升级传递依赖版本，修复 #5386 中报告的已知 CVE。

Ref #5386

Changes / 改动

Override transitive dependency versions via <dependencyManagement> in the root POM:

通过根 POM 的 <dependencyManagement> 覆盖传递依赖版本：

Dependency	Old Version	New Version	CVE(s) Fixed
nimbus-jose-jwt	9.21 (managed by Spring Boot 2.7.11)	9.37.3	CVE-2023-52428
woodstox-core	6.2.1	6.5.1	CVE-2022-40152
jettison	1.4.0	1.5.4	CVE-2022-40149, CVE-2022-45685, CVE-2022-45693, CVE-2023-1436

Already fixed in master / 已在 master 修复

The following dependencies mentioned in #5386 have already been upgraded:

以下 #5386 中提到的依赖已在之前的提交中升级：

• H2 Database: 2.2.220 (fixes CVE-2022-45868)
• SnakeYAML: 2.3 (fixes CVE-2022-1471)
• PostgreSQL JDBC: 42.7.2 (fixes CVE-2024-1597)

Out of scope / 不在本 PR 范围

• Spring Boot 2.x → 3.x: Major version upgrade with significant migration effort (Jakarta EE, Java 17+, etc.)
• Spring Framework / Spring Security: Managed by Spring Boot BOM, requires Spring Boot major upgrade
• commons-jxpath 1.3: Project is unmaintained (last release 2008), no fix available; consider removing the dependency in a separate effort

Which issue(s) this PR fixes

Ref #5386

Summary by CodeRabbit

• Chores
  • Pinned transitive library versions to address security vulnerabilities.
  • Added explicit dependency declarations to ensure consistent resolution.
  • Applied overrides in dependency management and direct dependencies for predictability.
  • Improved build stability and reduced risk of CVEs from indirect dependencies.
  • Lowered maintenance overhead by making dependency versions explicit and repeatable.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added three Maven properties and pinned explicit dependencies in pom.xml for nimbus-jose-jwt, woodstox-core, and jettison (in both dependencyManagement and dependencies) to control transitive resolution and address CVEs.

Changes

Cohort / File(s)	Summary
Dependency CVE Overrides pom.xml	Added properties nimbus-jose-jwt.version, woodstox-core.version, jettison.version; added corresponding entries under <dependencyManagement> and explicit <dependency> declarations to pin transitive versions for CVE mitigation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

lgtm

Suggested reviewers

• hezhangjian
• nobodyiam

Poem

🐰 I hopped through XML with a twitch and a cheer,
Three versions pinned so no CVE draws near,
I nudged dependency tags with a careful paw,
Now builds sleep soundly — that’s the rule I saw. 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and specifically identifies the primary change: upgrading vulnerable transitive dependencies with exact names and CVE fixes as the main objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@pom.xml`:
- Around line 88-91: Update the override properties to the latest patch versions
for full CVE coverage: change the nimbus-jose-jwt.version property to 10.7 and
the woodstox-core.version property to 7.1.1 (keep jettison.version as-is at
1.5.4); retain the existing properties + <dependencyManagement> override
approach so these updated property values propagate to transitive dependencies
and rebuild to verify no conflicts.

[github-actions]

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

[Zjianru]

I have read the CLA Document and I hereby sign the CLA

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@pom.xml`:
- Around line 88-91: Update the overridden nimbus-jose-jwt.version property to
the 9.x branch that contains the CVE-2023-52428 backport (recommended 9.37.4)
instead of 10.7 to maintain compatibility with Spring Security 5.7.x; change the
nimbus-jose-jwt.version property, then run mvn dependency:tree and the full test
suite and specifically exercise OAuth2 flows (spring-boot-starter-oauth2-client
and spring-boot-starter-oauth2-resource-server) to ensure no
ClassCastException/NoSuchMethodError or runtime issues before merging —
alternatively, if you choose to keep 10.7, document that you ran those
dependency and integration tests and they all passed.