Skip to content

Commit 8f9d7aa

Browse files
authored
Merge branch '8.0.x' into feat/i18n-available-locale-selector
2 parents 081acf9 + b5e583a commit 8f9d7aa

2 files changed

Lines changed: 10 additions & 0 deletions

File tree

dependencies.gradle

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,7 @@ ext {
7474
'bootstrap-icons.version' : '1.13.1',
7575
'bootstrap.version' : '5.3.8',
7676
'checker-qual.version' : '3.55.1',
77+
'commons-codec.version' : '1.22.0',
7778
'geb-spock.version' : '8.0.1',
7879
// Pinned deliberately as a drift tripwire even though it matches Spring Boot's
7980
// managed version: graphql-java-extended-scalars (below) is NOT managed by Spring
@@ -88,6 +89,8 @@ ext {
8889
'httpcore5.version' : '5.4.3',
8990
// Security: overrides the transitive com.fasterxml Jackson 2.x. 2.21.5 fixes CVE-2026-54515 flagged against 2.21.4.
9091
'jackson2.version' : '2.21.5',
92+
// Security: overrides spring-boot-dependencies (3.1.4). 3.1.5 fixes CVE-2026-59889 (JsonView bypass) flagged against jackson-databind.
93+
'jackson3.version' : '3.1.5',
9194
'jquery.version' : '3.7.1',
9295
'kotlin.version' : '2.2.21',
9396
'liquibase-hibernate5.version' : '4.27.0',
@@ -132,6 +135,7 @@ ext {
132135
'bootstrap-icons' : "org.webjars.npm:bootstrap-icons:${bomDependencyVersions['bootstrap-icons.version']}",
133136
'cas-client-core' : "org.apereo.cas.client:cas-client-core:${bomDependencyVersions['cas-client-core.version']}",
134137
'checker-qual' : "org.checkerframework:checker-qual:${bomDependencyVersions['checker-qual.version']}",
138+
'commons-codec' : "commons-codec:commons-codec:${bomDependencyVersions['commons-codec.version']}",
135139
'geb-spock' : "org.apache.groovy.geb:geb-spock:${bomDependencyVersions['geb-spock.version']}",
136140
'graphql-java' : "com.graphql-java:graphql-java:${bomDependencyVersions['graphql-java.version']}",
137141
'graphql-java-extended-scalars': "com.graphql-java:graphql-java-extended-scalars:${bomDependencyVersions['graphql-java-extended-scalars.version']}",
@@ -174,6 +178,10 @@ ext {
174178
// jackson-annotations is out of lockstep (no 2.21.5 release) and stays transitively managed.
175179
'jackson2-core' : "com.fasterxml.jackson.core:jackson-core:${bomDependencyVersions['jackson2.version']}",
176180
'jackson2-databind' : "com.fasterxml.jackson.core:jackson-databind:${bomDependencyVersions['jackson2.version']}",
181+
// Security override of spring-boot-dependencies - see jackson3.version. databind 3.1.5 pins
182+
// jackson-core 3.1.5 via its parent pom, so the BOM must manage core in lockstep (rule 14).
183+
'jackson3-core' : "tools.jackson.core:jackson-core:${bomDependencyVersions['jackson3.version']}",
184+
'jackson3-databind' : "tools.jackson.core:jackson-databind:${bomDependencyVersions['jackson3.version']}",
177185
'jquery' : "org.webjars.npm:jquery:${bomDependencyVersions['jquery.version']}",
178186
// Security override of spring-boot-dependencies - see logback.version
179187
'logback-classic' : "ch.qos.logback:logback-classic:${bomDependencyVersions['logback.version']}",

grails-test-examples/spring-dependency-management/build.gradle

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,8 @@ dependencyManagement {
6565
// sourcing the number from dependencies.gradle so it stays the single source of truth.
6666
apply from: rootProject.layout.projectDirectory.file('dependencies.gradle')
6767
ext['logback.version'] = bomDependencyVersions['logback.version']
68+
// Same situation for the Jackson 3 security override (CVE-2026-59889) - see jackson3.version in dependencies.gradle.
69+
ext['jackson-bom.version'] = bomDependencyVersions['jackson3.version']
6870

6971
dependencies {
7072
implementation 'org.apache.grails:grails-dependencies-starter-web'

0 commit comments

Comments
 (0)