[bot] Merge 26.7 to develop#1439
Merged
Merged
Conversation
## Rationale The 26.3 OWASP Dependency Check build flagged 18 findings: seven CVEs (CVE-2026-54512 through CVE-2026-54518) against each of Jackson 2.x (com.fasterxml.jackson.core:jackson-databind 2.21.0) and Jackson 3.x (tools.jackson.core:jackson-databind 3.1.0), plus CVE-2026-53914 against the transitive Kotlin jars. ## Related Pull Requests None. ## Changes - Bump Jackson 2.x (jacksonVersion, jacksonDatabindVersion, jacksonJaxrsBaseVersion) to 2.21.4 and jackson3Version to 3.1.4. - Suppress CVE-2026-53914 for the transitive Kotlin jars (not applicable: LabKey compiles no Kotlin; the jars are transitive OkHttp runtime deps).
## Rationale Support indexing wikis ## Related Pull Requests - <!-- list of links to related pull requests (replace this comment) --> ## Changes <!-- list of standard tasks (remove this comment to enable) ## Tasks 📍 - [ ] Claude Code Review - [ ] Manual Testing - [ ] Test Automation - [ ] Verify Fix -->
## Rationale Routine upkeep of the third-party dependency versions catalogued in the Core Infrastructure "Upgrade Dependencies" doc, keeping us current for security and bug fixes. Scope is limited to doc-tracked dependencies with clean, low-risk upgrades; forced-for-consistency transitives and caveated upgrades were deliberately excluded and left for separate, individually-tested changes. ## Related Pull Requests - Replaces #1430, which GitHub closed permanently when its head branch was renamed for release retargeting. ## Changes - Bump 14 doc-tracked dependency versions in `gradle.properties`: apacheDirectory 2.1.7→2.1.8, apacheMina 2.2.7→2.2.9, azureIdentity 1.18.3→1.18.4, commonmark 0.28.0→0.29.0, commonsLogging 1.3.6→1.4.0, datadog 1.62.0→1.63.2, googleErrorProneAnnotations 2.49.0→2.50.0, googleHttpClient 2.1.0→2.1.1, grpc 1.81.0→1.82.1, httpcore5 5.4.2→5.4.3, jaxb 4.0.8→4.0.9, lucene 10.4.0→10.5.0, postgresqlDriver 42.7.11→42.7.12, sqliteJdbc 3.53.1.0→3.53.2.0.
cnathe
approved these changes
Jul 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Generated automatically.
Merging changes from: 93a5d26
Approve all matching PRs simultaneously.
Approval will trigger automatic merge.
Verify all PRs before approving: https://internal.labkey.com/Scrumtime/Backlog/harvest-gitOpenPullRequests.view?branch=fb_bot_merge_26.7