fix(deps): Upgrade dependencies to address critical CVEs (#1716)

* fix: bump jackson to 2.21.2 to address CVE (SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551)

Upgrade jackson-bom from 2.16.2 to 2.21.2 to fix the high-severity
Allocation of Resources Without Limits or Throttling vulnerability
in jackson-core reported in #1714.

Signed-off-by: Javier Aliaga <javier@diagrid.io>

* fix(deps): upgrade dependencies to address multiple CVEs

- Spring Boot 3.4.10 → 3.4.13
- Spring Framework 6.2.11 → 6.2.17 (CVE injection)
- Jackson 3.x BOM 3.1.0 → 3.1.1 (SNYK-JAVA-TOOLSJACKSONCORE-15907550)
- Logback 1.5.18 → 1.5.25 (SNYK-JAVA-CHQOSLOGBACK-13169722, -15062482)
- Commons Compress 1.24.0 → 1.26.0 (SNYK-JAVA-ORGAPACHECOMMONS-6254296, -6254297)
- Tomcat Embed 10.1.46 → 10.1.52 (SNYK-JAVA-ORGAPACHETOMCATEMBED-15307781, -15307822)

Note: spring-boot-actuator auth bypass CVEs remain in example apps
only — requires Spring Boot 3.5.x which is a breaking change.

Signed-off-by: Javier Aliaga <javier@diagrid.io>

* fix(deps): upgrade Spring Boot to 3.5.12 and remove redundant overrides

Spring Boot 3.5.12 natively manages logback 1.5.32, tomcat 10.1.52,
and spring-framework 6.2.17 — removing all manual overrides that are
now unnecessary. This also resolves the spring-boot-actuator auth
bypass CVEs that required SB 3.5.x.

Only commons-compress 1.26.0 override remains (testcontainers transitive).

Signed-off-by: Javier Aliaga <javier@diagrid.io>

* chore(deps): remove unnecessary Jackson 3.x BOM overrides

Only dapr-spring-boot-4-autoconfigure and spring-boot-4-examples
actually use Jackson 3.x (tools.jackson.core). Removed the override
from 4 modules that don't pull it in transitively.

Signed-off-by: Javier Aliaga <javier@diagrid.io>

* fix(deps): add commons-codec dependency for commons-compress 1.26.0

Commons-compress 1.26.0 declares commons-codec as optional, but
testcontainers uses it at runtime causing ClassNotFoundException
for org.apache.commons.codec.Charsets.

Signed-off-by: Javier Aliaga <javier@diagrid.io>

* fix(deps): add commons-codec as direct dependency in testcontainers-dapr

The dependencyManagement entry alone doesn't pull in optional transitive
deps. commons-codec must be declared as a direct dependency so it's
available at runtime for commons-compress/testcontainers.

Signed-off-by: Javier Aliaga <javier@diagrid.io>

---------

Signed-off-by: Javier Aliaga <javier@diagrid.io>

Author: javier-aliaga

dapr-spring/dapr-spring-boot-4-autoconfigure/pom.xml

@@ -23,6 +23,14 @@
 
   <dependencyManagement>
     <dependencies>
+      <!-- Override Jackson 3.x for CVE SNYK-JAVA-TOOLSJACKSONCORE-15907550 (must precede SB BOM) -->
+      <dependency>
+        <groupId>tools.jackson</groupId>
+        <artifactId>jackson-bom</artifactId>
+        <version>3.1.1</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
       <dependency>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-dependencies</artifactId>

pom.xml

@@ -42,7 +42,7 @@
     <maven.compiler.target>11</maven.compiler.target>
     <maven.compiler.release>11</maven.compiler.release>
     <maven.deploy.skip>true</maven.deploy.skip>
-    <jackson.version>2.18.6</jackson.version>
+    <jackson.version>2.21.2</jackson.version>
     <gpg.skip>true</gpg.skip>
     <spotbugs.fail>true</spotbugs.fail>
     <spotbugs.exclude.filter.file>${maven.multiModuleProjectDirectory}/spotbugs-exclude.xml</spotbugs.exclude.filter.file>
@@ -52,10 +52,7 @@
     <junit-bom.version>5.11.4</junit-bom.version>
     <snakeyaml.version>2.0</snakeyaml.version>
     <testcontainers.version>1.21.4</testcontainers.version>
-    <!-- Do NOT UPGRADE spring.version without checking springboot.version alignment -->
-    <springboot.version>3.4.10</springboot.version>
-    <springframework.version>6.2.11</springframework.version>
-    <!-- Do NOT UPGRADE springframework.version without checking springboot.version alignment -->
+    <springboot.version>3.5.12</springboot.version>
     <nexus-staging-maven-plugin.version>1.7.0</nexus-staging-maven-plugin.version>
     <assertj.version>3.27.7</assertj.version>
     <opentelemetry.version>1.41.0</opentelemetry.version>
@@ -84,6 +81,8 @@
     <rest-assured.version>5.5.1</rest-assured.version>
     <!-- TODO: Remove netty-bom override once gRPC ships with Netty >= 4.1.132 (CVE-2026-33871, CVE-2026-33870) -->
     <netty.version>4.1.132.Final</netty.version>
+    <!-- TODO: Remove commons-compress override once testcontainers ships with >= 1.26.0 -->
+    <commons-compress.version>1.26.0</commons-compress.version>
   </properties>
 
   <distributionManagement>
@@ -164,6 +163,20 @@
         <scope>import</scope>
       </dependency>
 
+      <!-- ====================================================================== -->
+      <!-- Security overrides - Transitive dependency version fixes for CVEs   -->
+      <!-- ====================================================================== -->
+      <dependency>
+        <groupId>org.apache.commons</groupId>
+        <artifactId>commons-compress</artifactId>
+        <version>${commons-compress.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>commons-codec</groupId>
+        <artifactId>commons-codec</artifactId>
+        <version>1.17.2</version>
+      </dependency>
+
       <!-- ====================================================================== -->
       <!-- Direct dependencies - Only versions not managed by BOMs above         -->
       <!-- ====================================================================== -->

spring-boot-4-examples/pom.xml

@@ -28,6 +28,14 @@
 
   <dependencyManagement>
     <dependencies>
+      <!-- Override Jackson 3.x for CVE SNYK-JAVA-TOOLSJACKSONCORE-15907550 (must precede SB BOM) -->
+      <dependency>
+        <groupId>tools.jackson</groupId>
+        <artifactId>jackson-bom</artifactId>
+        <version>3.1.1</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
       <dependency>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-dependencies</artifactId>

testcontainers-dapr/pom.xml

@@ -24,6 +24,11 @@
 			<groupId>org.testcontainers</groupId>
 			<artifactId>testcontainers</artifactId>
 		</dependency>
+		<!-- Required at runtime by commons-compress (optional transitive from testcontainers) -->
+		<dependency>
+			<groupId>commons-codec</groupId>
+			<artifactId>commons-codec</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-databind</artifactId>