BE: Chore: Bump Spring Boot to 3.5.3

[yeikel]

What changes did you make? (Give an overview)

• Upgraded Spring Boot to the latest version (3.5.3) to fetch the latest bug fixes and features as well as fixing CVE-2025-41234
• Removed several dependency overrides that are no longer necessary since they were upgraded by Spring
• Removed the explicit inclusion of Junit5 , as it is provided transitively by spring-boot-starter-test. Keeping it explicitly declared leads to version conflicts, which goes against the JUnit project's recommendations for Spring Boot.

How Has This Been Tested? (put an "x" (case-sensitive!) next to an item)

• Covered by existing automation

Checklist (put an "x" (case-sensitive!) next to all the items, otherwise the build will fail)

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (e.g. ENVIRONMENT VARIABLES)
• My changes generate no new warnings (e.g. Sonar is happy)
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged

A picture of a cute animal (not mandatory but encouraged)

[yeikel]

JUnit 5, in particular, was causing a direct conflict that might be resolved by upgrading or aligning versions. However, since it’s brought in transitively by one our direct test dependencies, maintaining version alignment doesn't seem worth pursuing.

Mockit and assertj are also included transitively and technically falls into the same category, but it didn’t cause any issues during this upgrade.

Overall, reducing the number of explicitly managed dependencies isn’t a bad idea, so I’m open to removing them as well.

@Haarolean What do you think?

[Haarolean]

I don't think it's a good idea to use some random junit/mockito versions pulled transitively. Bumping some other unrelated dependency then can break things, and junit is kinda known for breaking things sometimes.

[yeikel]

Do you suggest that we continue to sync them? Because what motivated this change is to align them with what Spring boot Uses as it was failing due to a conflict

[Haarolean]

I'd align them (explicitly) with whatever spring boot uses itself, so in this case we'd have the same issues like we have now (version mismatch) rather than suddenly failing tests (say, when spring boot is bumped next time). What do you think?

[yeikel]

This may cause issues for anyone using this functionality, but there does not seem to be a clear fix for this other than prometheus/client_java#1431

None of our tests seem to be flagging this right now but it may be a matter of coverage

@Haarolean What do you think?

[yeikel]

For now, I pushed b57acf5 which we can revert as needed

[Haarolean]

Yeah I doubt we have tests for this. However we should have a docker-compose somewhere in documentation/compose to try it out with prometheus.