bump sample-side tomcat + commons-lang3 to clear Snyk CVEs

[vzakharchenko]

Snyk's scan of the sample reactor (sample-core, forge-connect, forge-container) surfaced 8 transitive CVEs that the library-side tomcat bump in #9 did not touch — the sample has its own spring-boot-starter-parent and is built independently.

• Override <tomcat.version>10.1.55</tomcat.version> in the sample's parent pom; closes the same CVE batch on sample-core that bump tomcat-embed-core to 10.1.55 (Dependabot CVE batch) #9 already resolved for the bridge modules (HTTP/2 header validation, DIGEST authenticator wildcard match, WebDAV LOCK/PROPFIND unbounded read, LockOutRealm case sensitivity, WebSocket header exposure, AJP non-constant time, security-constraint mapping).
• Pin org.apache.commons:commons-lang3 to 3.18.0 in the parent's . liquibase-core 4.31.1 (pulled by the Connect JPA starter) drags in 3.17.0, which carries CVE-2025-48924 (Uncontrolled Recursion in ClassUtils.getClass). 3.18.0 is the patch.

Verified mvn dependency:tree on each sample module resolves tomcat-embed-core:10.1.55 and commons-lang3:3.18.0 (the latter only where liquibase is on the path — forge-container excludes JPA and so has no commons-lang3 transitive at all).

[qltysh]

Coverage Impact

This PR will not change total coverage.

🚦 See full report on Qlty Cloud »

🛟 Help

• Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

• Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

• File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

  • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud