forge-sql-orm · vzakharchenko · May 19, 2026 · May 19, 2026 · May 19, 2026
diff --git a/examples/atlassian-connect-forge-spring-boot-sample/pom.xml b/examples/atlassian-connect-forge-spring-boot-sample/pom.xml
@@ -29,11 +29,27 @@
         <java.version>21</java.version>
         <atlassian-connect-spring-boot.version>6.0.2</atlassian-connect-spring-boot.version>
         <atlassian-runtime-bridge.version>1.0-SNAPSHOT</atlassian-runtime-bridge.version>
+        <!-- Override Spring Boot 3.5.14 default (10.1.54) to clear the Tomcat
+             CVE batch Snyk reports against sample-core (HTTP/2 headers, Digest
+             auth, WebDAV LOCK/PROPFIND, etc.); fixed in 10.1.55. -->
+        <tomcat.version>10.1.55</tomcat.version>
         <!-- frontend toolchain — frontend-maven-plugin downloads Node + npm into target/,
              so contributors do not need a system-wide install and CI is reproducible.
              Node 24.x is the current LTS (Krypton); npm 11.12.1 is what it bundles. -->
         <frontend-maven-plugin.version>1.15.1</frontend-maven-plugin.version>
         <node.version>v24.15.0</node.version>
         <npm.version>11.12.1</npm.version>
     </properties>
+
+    <dependencyManagement>
+        <dependencies>
+            <!-- Force-bump the commons-lang3 transitive (liquibase-core 4.31.1 pulls 3.17.0,
+                 which has CVE-2025-48924 — Uncontrolled Recursion in ClassUtils.getClass). -->
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-lang3</artifactId>
+                <version>3.20.0</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
 </project>