|
74 | 74 | 'bootstrap-icons.version' : '1.13.1', |
75 | 75 | 'bootstrap.version' : '5.3.8', |
76 | 76 | 'checker-qual.version' : '3.55.1', |
| 77 | + 'commons-codec.version' : '1.22.0', |
77 | 78 | 'geb-spock.version' : '8.0.1', |
78 | 79 | // Pinned deliberately as a drift tripwire even though it matches Spring Boot's |
79 | 80 | // managed version: graphql-java-extended-scalars (below) is NOT managed by Spring |
|
88 | 89 | 'httpcore5.version' : '5.4.3', |
89 | 90 | // Security: overrides the transitive com.fasterxml Jackson 2.x. 2.21.5 fixes CVE-2026-54515 flagged against 2.21.4. |
90 | 91 | 'jackson2.version' : '2.21.5', |
| 92 | + // Security: overrides spring-boot-dependencies (3.1.4). 3.1.5 fixes CVE-2026-59889 (JsonView bypass) flagged against jackson-databind. |
| 93 | + 'jackson3.version' : '3.1.5', |
91 | 94 | 'jquery.version' : '3.7.1', |
92 | 95 | 'kotlin.version' : '2.2.21', |
93 | 96 | 'liquibase-hibernate5.version' : '4.27.0', |
@@ -132,6 +135,7 @@ ext { |
132 | 135 | 'bootstrap-icons' : "org.webjars.npm:bootstrap-icons:${bomDependencyVersions['bootstrap-icons.version']}", |
133 | 136 | 'cas-client-core' : "org.apereo.cas.client:cas-client-core:${bomDependencyVersions['cas-client-core.version']}", |
134 | 137 | 'checker-qual' : "org.checkerframework:checker-qual:${bomDependencyVersions['checker-qual.version']}", |
| 138 | + 'commons-codec' : "commons-codec:commons-codec:${bomDependencyVersions['commons-codec.version']}", |
135 | 139 | 'geb-spock' : "org.apache.groovy.geb:geb-spock:${bomDependencyVersions['geb-spock.version']}", |
136 | 140 | 'graphql-java' : "com.graphql-java:graphql-java:${bomDependencyVersions['graphql-java.version']}", |
137 | 141 | 'graphql-java-extended-scalars': "com.graphql-java:graphql-java-extended-scalars:${bomDependencyVersions['graphql-java-extended-scalars.version']}", |
@@ -174,6 +178,10 @@ ext { |
174 | 178 | // jackson-annotations is out of lockstep (no 2.21.5 release) and stays transitively managed. |
175 | 179 | 'jackson2-core' : "com.fasterxml.jackson.core:jackson-core:${bomDependencyVersions['jackson2.version']}", |
176 | 180 | 'jackson2-databind' : "com.fasterxml.jackson.core:jackson-databind:${bomDependencyVersions['jackson2.version']}", |
| 181 | + // Security override of spring-boot-dependencies - see jackson3.version. databind 3.1.5 pins |
| 182 | + // jackson-core 3.1.5 via its parent pom, so the BOM must manage core in lockstep (rule 14). |
| 183 | + 'jackson3-core' : "tools.jackson.core:jackson-core:${bomDependencyVersions['jackson3.version']}", |
| 184 | + 'jackson3-databind' : "tools.jackson.core:jackson-databind:${bomDependencyVersions['jackson3.version']}", |
177 | 185 | 'jquery' : "org.webjars.npm:jquery:${bomDependencyVersions['jquery.version']}", |
178 | 186 | // Security override of spring-boot-dependencies - see logback.version |
179 | 187 | 'logback-classic' : "ch.qos.logback:logback-classic:${bomDependencyVersions['logback.version']}", |
|
0 commit comments