fix: resolve snyk vulnerabilities

[stevecl5]

Summary of Changes

Updated dependencies including the Coppuccino plugin. This resolves multiple vulnerabilities reported by Snyk, including:

• Improper Validation of Certificate with Host Mismatch [Medium Severity] SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782
• Information Exposure [Low Severity] SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744

Other dependency changes include:

• Removing the manual spotbugs-annotations dependency, as it is now automatically included by Coppuccino
• Changing mockito-inline and spock-core dependencies from api to testImplementation to prevent test libraries from leaking into consumer classpaths
• Removing the redundant kotlin-stdlib-jdk8 dependency (now handled natively by the Kotlin JVM plugin)
• Removing the explicit org.apache.bcel security override, as the underlying vulnerabilities are resolved by the latest dependency versions

I also cleaned up and modernized the Gradle configuration files, removing redundancies and deprecated syntax.

Public API Additions/Changes

N/A

Downstream Consumer Impact

Artifact Reduction & Scope Fix: Previously, Vogue exposed mockito-inline and spock-core via the api configuration, which forced these testing libraries onto the compile and runtime classpaths of any project that applied Vogue. By shifting these to testImplementation, downstream consumers will see a cleaner dependency graph and reduced artifact bloat.

There are no breaking changes to consumer APIs, and no forced migration steps are required.

How Has This Been Tested?

• Verified the new dependency scopes by successfully running ./gradlew dependencies --write-locks and confirming that Spock and Mockito were properly shifted strictly to test configurations in the gradle.lockfile.
• Verified that the project successfully compiles without the manual spotbugs-annotations dependency, proving the Coppuccino 6.+ injection is working as intended.
• Confirmed that Snyk vulnerabilities are resolved by running snyk test --all-projects --exclude=build

Snyk scan results

vogue % snyk test --all-projects --exclude=build

Testing /Users/steven.leighton/dev/vogue...

Tested 96 dependencies for known issues, found 4 issues, 6 vulnerable paths.


License issues:

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:org.jetbrains.intellij.deps:trove4j:LGPL-2.1] in org.jetbrains.intellij.deps:trove4j@1.0.20200330
    introduced by org.jetbrains.kotlin:kotlin-compiler-embeddable@2.1.0 > org.jetbrains.intellij.deps:trove4j@1.0.20200330 and 1 other path(s)

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.9
    introduced by com.github.spotbugs:spotbugs@4.9.8 > net.sf.saxon:Saxon-HE@12.9

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       build.gradle
Project name:      vogue
Open source:       no
Project path:      /Users/steven.leighton/dev/vogue
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/vogue...

Organization:      mx
Package manager:   npm
Target file:       package-lock.json
Project name:      package.json
Open source:       no
Project path:      /Users/steven.leighton/dev/vogue
Licenses:          enabled

✔ Tested /Users/steven.leighton/dev/vogue for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.


Tested 2 projects, 1 contained vulnerable paths.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works