Skip to content

[bot] Merge 26.7 to develop#1439

Merged
github-actions[bot] merged 5 commits into
developfrom
fb_bot_merge_26.7
Jul 8, 2026
Merged

[bot] Merge 26.7 to develop#1439
github-actions[bot] merged 5 commits into
developfrom
fb_bot_merge_26.7

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Generated automatically.
Merging changes from: 93a5d26
Approve all matching PRs simultaneously.
Approval will trigger automatic merge.
Verify all PRs before approving: https://internal.labkey.com/Scrumtime/Backlog/harvest-gitOpenPullRequests.view?branch=fb_bot_merge_26.7

labkey-martyp and others added 5 commits July 1, 2026 11:49
## Rationale

The 26.3 OWASP Dependency Check build flagged 18 findings: seven CVEs
(CVE-2026-54512 through CVE-2026-54518) against each of Jackson 2.x
(com.fasterxml.jackson.core:jackson-databind 2.21.0) and Jackson 3.x
(tools.jackson.core:jackson-databind 3.1.0), plus CVE-2026-53914 against
the transitive Kotlin jars.

## Related Pull Requests

None.

## Changes

- Bump Jackson 2.x (jacksonVersion, jacksonDatabindVersion,
jacksonJaxrsBaseVersion) to 2.21.4 and jackson3Version to 3.1.4.
- Suppress CVE-2026-53914 for the transitive Kotlin jars (not
applicable: LabKey compiles no Kotlin; the jars are transitive OkHttp
runtime deps).
## Rationale
Support indexing wikis

## Related Pull Requests
- <!-- list of links to related pull requests (replace this comment) -->

## Changes

<!-- list of standard tasks (remove this comment to enable)
## Tasks 📍
- [ ] Claude Code Review
- [ ] Manual Testing
- [ ] Test Automation
- [ ] Verify Fix
-->
## Rationale

Routine upkeep of the third-party dependency versions catalogued in the
Core Infrastructure "Upgrade Dependencies" doc, keeping us current for
security and bug fixes. Scope is limited to doc-tracked dependencies
with clean, low-risk upgrades; forced-for-consistency transitives and
caveated upgrades were deliberately excluded and left for separate,
individually-tested changes.

## Related Pull Requests

- Replaces #1430, which GitHub closed permanently when its head branch
was renamed for release retargeting.

## Changes

- Bump 14 doc-tracked dependency versions in `gradle.properties`:
apacheDirectory 2.1.7→2.1.8, apacheMina 2.2.7→2.2.9, azureIdentity
1.18.3→1.18.4, commonmark 0.28.0→0.29.0, commonsLogging 1.3.6→1.4.0,
datadog 1.62.0→1.63.2, googleErrorProneAnnotations 2.49.0→2.50.0,
googleHttpClient 2.1.0→2.1.1, grpc 1.81.0→1.82.1, httpcore5 5.4.2→5.4.3,
jaxb 4.0.8→4.0.9, lucene 10.4.0→10.5.0, postgresqlDriver
42.7.11→42.7.12, sqliteJdbc 3.53.1.0→3.53.2.0.
@github-actions github-actions Bot merged commit 9e219d0 into develop Jul 8, 2026
7 checks passed
@github-actions github-actions Bot deleted the fb_bot_merge_26.7 branch July 8, 2026 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants