From fea3fdd2da35724df2aa1fdd9823d6df24bfd30b Mon Sep 17 00:00:00 2001 From: Marty Pradere Date: Wed, 1 Jul 2026 10:49:42 -0700 Subject: [PATCH 1/3] Address OWASP dependency-check CVEs in Jackson and Kotlin (#1428) ## Rationale The 26.3 OWASP Dependency Check build flagged 18 findings: seven CVEs (CVE-2026-54512 through CVE-2026-54518) against each of Jackson 2.x (com.fasterxml.jackson.core:jackson-databind 2.21.0) and Jackson 3.x (tools.jackson.core:jackson-databind 3.1.0), plus CVE-2026-53914 against the transitive Kotlin jars. ## Related Pull Requests None. ## Changes - Bump Jackson 2.x (jacksonVersion, jacksonDatabindVersion, jacksonJaxrsBaseVersion) to 2.21.4 and jackson3Version to 3.1.4. - Suppress CVE-2026-53914 for the transitive Kotlin jars (not applicable: LabKey compiles no Kotlin; the jars are transitive OkHttp runtime deps). --- dependencyCheckSuppression.xml | 12 ++++++++++++ gradle.properties | 8 ++++---- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml index 4a7c257d00..0fe1a5999d 100644 --- a/dependencyCheckSuppression.xml +++ b/dependencyCheckSuppression.xml @@ -316,4 +316,16 @@ CVE-2025-15104 + + + + ^pkg:maven/org\.jetbrains\.kotlin/.*@.*$ + CVE-2026-53914 + + diff --git a/gradle.properties b/gradle.properties index 21f365151f..60f1759e85 100644 --- a/gradle.properties +++ b/gradle.properties @@ -195,15 +195,15 @@ httpcoreVersion=4.4.16 intellijKotlinVersion=2.3.10 # Update the three Jackson dependency versions below in tandem, unless one gets a patch release out-of-sync with the others -jacksonVersion=2.21.0 -jacksonDatabindVersion=2.21.0 -jacksonJaxrsBaseVersion=2.21.0 +jacksonVersion=2.21.4 +jacksonDatabindVersion=2.21.4 +jacksonJaxrsBaseVersion=2.21.4 # Note the inconsistent version numbering for "annotations"... it no longer matches the above jacksonAnnotationsVersion=2.21 # Spring Boot brings in a transitive dependency on Jackson 3.x. It has changed package names and can coexist with Jackson 2.x. -jackson3Version=3.1.0 +jackson3Version=3.1.4 # The Jakarta Activation API version that Angus Activation implements. Keep in sync with angusActivationVersion (above). jakartaActivationApiVersion=2.1.4 From 66fb499cbd2d9eadb47738f96136f439c892c6f5 Mon Sep 17 00:00:00 2001 From: labkey-matthewb Date: Wed, 1 Jul 2026 11:17:25 -0700 Subject: [PATCH 2/3] Documentation MCP (#1432) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Rationale Support indexing wikis ## Related Pull Requests - ## Changes --- build.gradle | 2 ++ gradle.properties | 1 + 2 files changed, 3 insertions(+) diff --git a/build.gradle b/build.gradle index 1ffa4c81aa..2222fee25a 100644 --- a/build.gradle +++ b/build.gradle @@ -205,6 +205,8 @@ allprojects { resolutionStrategy { // spring-ai pulls a different version of antr-ST4 than the version pulled by query (via antlr) force "org.antlr:ST4:${antlrST4Version}" + // different spring-ai artifacts (e.g. spring-ai-transformers) pull different antlr4-runtime versions than ST4 does + force "org.antlr:antlr4-runtime:${antlr4RuntimeVersion}" // also it pulls in a bunch of com.google.api dependencies which conflict with DiscvrLabKeyModules:SequenceAnalysis and wnprc-modules:WNPRC_EHR force "com.google.api:api-common:${googleApiVersion}" force "com.google.auth:google-auth-library-oauth2-http:${googleAuthVersion}" diff --git a/gradle.properties b/gradle.properties index 46b24d1745..e22a3aa0de 100644 --- a/gradle.properties +++ b/gradle.properties @@ -90,6 +90,7 @@ annotationsVersion=15.0 antVersion=1.10.17 antlrST4Version=4.3.4 +antlr4RuntimeVersion=4.13.2 #Unifying version used by DISCVR and Premium apacheDirectoryVersion=2.1.7 From 68602de4e9ef0291121ec23c4c00be981c532f6f Mon Sep 17 00:00:00 2001 From: Marty Pradere Date: Fri, 3 Jul 2026 12:13:03 -0700 Subject: [PATCH 3/3] Update tracked third-party dependency versions (#1434) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Rationale Routine upkeep of the third-party dependency versions catalogued in the Core Infrastructure "Upgrade Dependencies" doc, keeping us current for security and bug fixes. Scope is limited to doc-tracked dependencies with clean, low-risk upgrades; forced-for-consistency transitives and caveated upgrades were deliberately excluded and left for separate, individually-tested changes. ## Related Pull Requests - Replaces #1430, which GitHub closed permanently when its head branch was renamed for release retargeting. ## Changes - Bump 14 doc-tracked dependency versions in `gradle.properties`: apacheDirectory 2.1.7→2.1.8, apacheMina 2.2.7→2.2.9, azureIdentity 1.18.3→1.18.4, commonmark 0.28.0→0.29.0, commonsLogging 1.3.6→1.4.0, datadog 1.62.0→1.63.2, googleErrorProneAnnotations 2.49.0→2.50.0, googleHttpClient 2.1.0→2.1.1, grpc 1.81.0→1.82.1, httpcore5 5.4.2→5.4.3, jaxb 4.0.8→4.0.9, lucene 10.4.0→10.5.0, postgresqlDriver 42.7.11→42.7.12, sqliteJdbc 3.53.1.0→3.53.2.0. --- build.gradle | 3 +++ gradle.properties | 28 ++++++++++++++-------------- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/build.gradle b/build.gradle index 2222fee25a..8c7c36b0ed 100644 --- a/build.gradle +++ b/build.gradle @@ -395,6 +395,9 @@ allprojects { // Spring AI 2.0 brings in Jackson3. Force it to match embedded and mitigate CVEs. force "tools.jackson.core:jackson-core:${jackson3Version}" + // Spring AI's pgvector-store brings in its own PostgreSQL JDBC driver; force ours + force "org.postgresql:postgresql:${postgresqlDriverVersion}" + dependencySubstitution { // Because the client api artifact name is not the same as the directory structure, we use // Gradle's dependency substitution so the dependency will appear correctly in the pom files that diff --git a/gradle.properties b/gradle.properties index e22a3aa0de..20b3c9b1f0 100644 --- a/gradle.properties +++ b/gradle.properties @@ -93,9 +93,9 @@ antlrST4Version=4.3.4 antlr4RuntimeVersion=4.13.2 #Unifying version used by DISCVR and Premium -apacheDirectoryVersion=2.1.7 +apacheDirectoryVersion=2.1.8 #Transitive dependency of Apache directory -apacheMinaVersion=2.2.7 +apacheMinaVersion=2.2.9 # Usually matches the version specified as a Spring Boot dependency (see springBootVersion below) apacheTomcatVersion=11.0.22 @@ -108,7 +108,7 @@ asmVersion=9.10 awsSdkVersion=2.29.50 # Microsoft library for sending OAuth2-authenticated notification emails via the Microsoft Graph API -azureIdentityVersion=1.18.3 +azureIdentityVersion=1.18.4 # Apache Batik -- Batik version needs to be compatible with Apache FOP, but we need to pull in batik-codec separately batikVersion=1.19 @@ -121,7 +121,7 @@ cglibNodepVersion=2.2.3 checkerQualVersion=3.53.0 -commonmarkVersion=0.28.0 +commonmarkVersion=0.29.0 # the beanutils version is not the default version brought from commons-validator and/or commons-digester # in the :server:api module but is required for some of our code to compile @@ -136,14 +136,14 @@ commonsDiscoveryVersion=0.2 commonsIoVersion=2.22.0 commonsLang3Version=3.20.0 commonsLangVersion=2.6 -commonsLoggingVersion=1.3.6 +commonsLoggingVersion=1.4.0 commonsMath3Version=3.6.1 commonsPoolVersion=1.6 commonsTextVersion=1.15.0 commonsValidatorVersion=1.10.1 commonsVfs2Version=2.10.0 -datadogVersion=1.62.0 +datadogVersion=1.63.2 dom4jVersion=2.2.0 @@ -161,13 +161,13 @@ fopVersion=2.11 googleApiVersion=2.47.0 googleAuthVersion=1.40.0 googleAutoValueAnnotationsVersion=1.10.4 -googleErrorProneAnnotationsVersion=2.49.0 -googleHttpClientVersion=2.1.0 +googleErrorProneAnnotationsVersion=2.50.0 +googleHttpClientVersion=2.1.1 googleOauthClientVersion=1.39.0 googleProtocolBufVersion=3.25.9 graphSupportVersion=1.5.2 -grpcVersion=1.81.0 +grpcVersion=1.82.1 # Cloud and SequenceAnalysis bring gson in as a transitive dependency. # We resolve to the later version here to keep things consistent @@ -186,7 +186,7 @@ hamcrestVersion=2.2 htsjdkVersion=4.3.0 httpclient5Version=5.5.2 -httpcore5Version=5.4.2 +httpcore5Version=5.4.3 # Not used directly, but these are widely used transitive dependencies httpclientVersion=4.5.14 @@ -220,7 +220,7 @@ jaxbOldVersion=2.3.3 # All other direct and indirect uses of JAXB use the current, jakarta-packaged versions jaxbApiVersion=4.0.5 -jaxbVersion=4.0.8 +jaxbVersion=4.0.9 jaxrpcVersion=1.1 @@ -253,7 +253,7 @@ log4j2Version=2.26.0 lombokVersion=1.18.46 -luceneVersion=10.4.0 +luceneVersion=10.5.0 # Microsoft library for sending OAuth2-authenticated notification emails via the Microsoft Graph API microsoftGraphVersion=6.65.0 @@ -279,7 +279,7 @@ poiVersion=5.5.1 pollingWatchVersion=0.2.0 -postgresqlDriverVersion=42.7.11 +postgresqlDriverVersion=42.7.12 quartzVersion=2.5.2 @@ -307,7 +307,7 @@ springBootVersion=4.1.0 springVersion=7.0.8 springAiVersion=2.0.0 -sqliteJdbcVersion=3.53.1.0 +sqliteJdbcVersion=3.53.2.0 # SAML brings stax2-api in as a transitive dependency. We force the latest version. stax2ApiVersion=4.2.2