From 99ff633d0d2794bf70a9c73a8b97a3d349d2d18b Mon Sep 17 00:00:00 2001 From: labkey-susanh Date: Wed, 19 Nov 2025 10:09:39 -0800 Subject: [PATCH 1/8] Update versions for various dependencies --- gradle.properties | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/gradle.properties b/gradle.properties index cc681b2f2c..47a541434d 100644 --- a/gradle.properties +++ b/gradle.properties @@ -60,7 +60,7 @@ windowsProteomicsBinariesVersion=1.0 artifactoryPluginVersion=5.2.5 gradleNodePluginVersion=7.1.0 gradlePluginsVersion=7.1.0 -owaspDependencyCheckPluginVersion=12.1.8 +owaspDependencyCheckPluginVersion=12.1.9 versioningPluginVersion=1.1.3 # Versions of node and npm to use during the build. If set, these versions @@ -99,7 +99,7 @@ apacheDirectoryVersion=2.1.7 apacheMinaVersion=2.2.4 # Usually matches the version specified as a Spring Boot dependency (see springBootVersion below) -apacheTomcatVersion=10.1.48 +apacheTomcatVersion=10.1.49 # (mothership) -> json-path -> json-smart -> accessor-smart # (core) -> graalvm @@ -122,24 +122,24 @@ commonmarkVersion=0.27.0 # the beanutils version is not the default version brought from commons-validator and/or commons-digester # in the :server:api module but is required for some of our code to compile commonsBeanutilsVersion=1.11.0 -commonsCodecVersion=1.19.0 +commonsCodecVersion=1.20.0 commonsCollections4Version=4.5.0 commonsCollectionsVersion=3.2.2 commonsCompressVersion=1.28.0 commonsDbcpVersion=1.4 commonsDigesterVersion=1.8.1 commonsDiscoveryVersion=0.2 -commonsIoVersion=2.20.0 -commonsLang3Version=3.19.0 +commonsIoVersion=2.21.0 +commonsLang3Version=3.20.0 commonsLangVersion=2.6 commonsLoggingVersion=1.3.5 commonsMath3Version=3.6.1 commonsPoolVersion=1.6 commonsTextVersion=1.14.0 -commonsValidatorVersion=1.10.0 +commonsValidatorVersion=1.10.1 commonsVfs2Version=2.10.0 -datadogVersion=1.54.0 +datadogVersion=1.55.0 dom4jVersion=2.1.4 @@ -155,7 +155,7 @@ fopVersion=2.11 # Force latest for consistency googleAutoValueAnnotationsVersion=1.10.4 -googleErrorProneAnnotationsVersion=2.42.0 +googleErrorProneAnnotationsVersion=2.44.0 googleHttpClientVersion=2.0.2 googleOauthClientVersion=1.39.0 googleProtocolBufVersion=3.25.8 @@ -166,7 +166,7 @@ googleProtocolBufVersion=3.25.8 # "java.lang.NoSuchMethodError: 'void com.google.gson.internal.ConstructorConstructor.(java.util.Map)'" errors gsonVersion=2.8.9 -grpcVersion=1.76.0 +grpcVersion=1.77.0 guavaVersion=33.5.0-jre @@ -267,7 +267,7 @@ pollingWatchVersion=0.2.0 # Newer versions of the driver have a perf degradation that's important for us. https://github.com/pgjdbc/pgjdbc/issues/3505 postgresqlDriverVersion=42.7.8 -quartzVersion=2.5.0 +quartzVersion=2.5.1 reflectionsVersion=0.10.2 @@ -290,9 +290,9 @@ snappyJavaVersion=1.1.10.8 # Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version springBootVersion=3.5.7 # This usually matches the Spring Framework version dictated by springBootVersion -springVersion=6.2.12 +springVersion=6.2.13 -sqliteJdbcVersion=3.50.3.0 +sqliteJdbcVersion=3.51.0.0 # NLP and SAML bring stax2-api in as a transitive dependency but with very different versions. We force the later version. stax2ApiVersion=4.2.2 From fdef0fe631fcfdf20ceb08a61326632557d883ac Mon Sep 17 00:00:00 2001 From: labkey-susanh Date: Wed, 19 Nov 2025 11:26:03 -0800 Subject: [PATCH 2/8] Update POI version and xmlbeans version --- gradle.properties | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gradle.properties b/gradle.properties index 47a541434d..5f1b79cd43 100644 --- a/gradle.properties +++ b/gradle.properties @@ -260,7 +260,7 @@ openTracingVersion=0.33.0 pdfboxVersion=3.0.4 # sync with version Tika ships -poiVersion=5.4.0 +poiVersion=5.5.0 pollingWatchVersion=0.2.0 @@ -322,4 +322,4 @@ xercesImplVersion=2.12.2 xmlApisVersion=1.0.b2 # sync with Tika/POI -xmlbeansVersion=5.2.0 +xmlbeansVersion=5.3.0 From 574f832000b54433bdb9c2abef4d82b1c0e20f94 Mon Sep 17 00:00:00 2001 From: labkey-susanh Date: Thu, 20 Nov 2025 09:41:44 -0800 Subject: [PATCH 3/8] Update jaxbApiVersion for consistency with updated quartz library --- gradle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index 5f1b79cd43..a60853af81 100644 --- a/gradle.properties +++ b/gradle.properties @@ -212,7 +212,7 @@ jaxbApiOldVersion=2.3.1 jaxbOldVersion=2.3.3 # All other direct and indirect uses of JAXB use the current, jakarta-packaged versions -jaxbApiVersion=4.0.2 +jaxbApiVersion=4.0.4 jaxbVersion=4.0.5 jaxrpcVersion=1.1 From 3114ea0c53d3967c306d3e2e42940b6f7a581ae5 Mon Sep 17 00:00:00 2001 From: labkey-susanh Date: Thu, 20 Nov 2025 09:44:27 -0800 Subject: [PATCH 4/8] Remove obsolete force due to workflow module --- build.gradle | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/build.gradle b/build.gradle index 5db80e3a39..2d1fb07f03 100644 --- a/build.gradle +++ b/build.gradle @@ -299,9 +299,6 @@ allprojects { force "io.grpc:grpc-stub:${grpcVersion}" force "io.grpc:grpc-xds:${grpcVersion}" - // workflow (Activiti) brings in older versions of these libraries, so we need to force these versions - force "com.fasterxml.jackson.core:jackson-core:${jacksonVersion}" - force "com.fasterxml.jackson.core:jackson-databind:${jacksonDatabindVersion}" // The version of picard we depend on brings in an older version of htsjdk, but SequenceAnalysis depends on a later version force "com.github.samtools:htsjdk:${htsjdkVersion}" // This is a dependency for HTSJDK. Force version for CVE-2023-43642 @@ -557,6 +554,6 @@ project.tasks.register('ijConfigure') { project.tasks.register('purgeNpmAlphaVersions', PurgeNpmAlphaVersions) { group = GroupNames.NPM_RUN description = "Given an alpha version prefix for npm packages via the property -P${PurgeNpmAlphaVersions.ALPHA_PREFIX_PROPERTY}=yourPrefix, " + - "removes all packages with versions that match that prefix from Artifactory (e.g., @labkey/components-1.2.3-yourPrefix.0 and @labkey/workflow-0.3.4-yourPrefix.1). " + + "removes all packages with versions that match that prefix from Artifactory (e.g., @labkey/components-1.2.3-yourPrefix.0 and @labkey/premium-0.3.4-yourPrefix.1). " + " Use -PdryRun to see what versions would be deleted without actually doing the deletion." } From 263e0f67ffca8e775c5d86934efe368935a9ed90 Mon Sep 17 00:00:00 2001 From: labkey-susanh Date: Thu, 20 Nov 2025 09:53:43 -0800 Subject: [PATCH 5/8] Restore required force for jackson and update just the comment --- build.gradle | 3 +++ 1 file changed, 3 insertions(+) diff --git a/build.gradle b/build.gradle index 2d1fb07f03..8358584730 100644 --- a/build.gradle +++ b/build.gradle @@ -299,6 +299,9 @@ allprojects { force "io.grpc:grpc-stub:${grpcVersion}" force "io.grpc:grpc-xds:${grpcVersion}" + // tcrdb, cloud, SequenceAnalysis, recipe mfa, pipeline, fileTransfer, docker mcc, DiscvrLabKeyModules:Studies and api have differnet versions of these libraries, so we need to force these versions + force "com.fasterxml.jackson.core:jackson-core:${jacksonVersion}" + force "com.fasterxml.jackson.core:jackson-databind:${jacksonDatabindVersion}" // The version of picard we depend on brings in an older version of htsjdk, but SequenceAnalysis depends on a later version force "com.github.samtools:htsjdk:${htsjdkVersion}" // This is a dependency for HTSJDK. Force version for CVE-2023-43642 From 770f89db013e287c05d4e2627f5ec33a06f1ffd6 Mon Sep 17 00:00:00 2001 From: labkey-susanh Date: Thu, 20 Nov 2025 10:57:48 -0800 Subject: [PATCH 6/8] Revert upgrade of POI and XMLBeans versions. We'll try these updates in a different branch --- gradle.properties | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gradle.properties b/gradle.properties index a60853af81..64eb58ef00 100644 --- a/gradle.properties +++ b/gradle.properties @@ -260,7 +260,7 @@ openTracingVersion=0.33.0 pdfboxVersion=3.0.4 # sync with version Tika ships -poiVersion=5.5.0 +poiVersion=5.4.0 pollingWatchVersion=0.2.0 @@ -322,4 +322,4 @@ xercesImplVersion=2.12.2 xmlApisVersion=1.0.b2 # sync with Tika/POI -xmlbeansVersion=5.3.0 +xmlbeansVersion=5.2.0 From 750f9b7df90937fdbecb66b377599631fb883d4e Mon Sep 17 00:00:00 2001 From: labkey-susanh Date: Thu, 20 Nov 2025 12:39:02 -0800 Subject: [PATCH 7/8] Force a version of JAXB bind-api --- build.gradle | 2 ++ gradle.properties | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 8358584730..efba3ce570 100644 --- a/build.gradle +++ b/build.gradle @@ -252,6 +252,8 @@ allprojects { force "org.eclipse.angus:angus-activation:${angusActivationVersion}" // force Jakarta Activation API version used by our Angus Activation implementation force "jakarta.activation:jakarta.activation-api:${jakartaActivationApiVersion}" + // SequenceAnalysis brings in an older version via biojava-genome 7.1.1 + force "jakarta.xml.bind:jakarta.xml.bind-api:${jaxbBindApiVersion}" // force version for accounts, api, query force "javax.validation:validation-api:${validationApiVersion}" // force version for accounts, docker, api, workflow diff --git a/gradle.properties b/gradle.properties index 64eb58ef00..f7331b0a7e 100644 --- a/gradle.properties +++ b/gradle.properties @@ -212,7 +212,8 @@ jaxbApiOldVersion=2.3.1 jaxbOldVersion=2.3.3 # All other direct and indirect uses of JAXB use the current, jakarta-packaged versions -jaxbApiVersion=4.0.4 +jaxbApiVersion=4.0.2 +jaxbBindApiVersion=4.0.4 jaxbVersion=4.0.5 jaxrpcVersion=1.1 From 3b8a2cd2622a062ca336fc7e18e98988cf8ade74 Mon Sep 17 00:00:00 2001 From: labkey-susanh Date: Thu, 20 Nov 2025 13:54:04 -0800 Subject: [PATCH 8/8] jaxbApiVersion is for bind-api. Remove redundancy --- build.gradle | 2 +- gradle.properties | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index efba3ce570..6d6067aa4c 100644 --- a/build.gradle +++ b/build.gradle @@ -253,7 +253,7 @@ allprojects { // force Jakarta Activation API version used by our Angus Activation implementation force "jakarta.activation:jakarta.activation-api:${jakartaActivationApiVersion}" // SequenceAnalysis brings in an older version via biojava-genome 7.1.1 - force "jakarta.xml.bind:jakarta.xml.bind-api:${jaxbBindApiVersion}" + force "jakarta.xml.bind:jakarta.xml.bind-api:${jaxbApiVersion}" // force version for accounts, api, query force "javax.validation:validation-api:${validationApiVersion}" // force version for accounts, docker, api, workflow diff --git a/gradle.properties b/gradle.properties index f7331b0a7e..64eb58ef00 100644 --- a/gradle.properties +++ b/gradle.properties @@ -212,8 +212,7 @@ jaxbApiOldVersion=2.3.1 jaxbOldVersion=2.3.3 # All other direct and indirect uses of JAXB use the current, jakarta-packaged versions -jaxbApiVersion=4.0.2 -jaxbBindApiVersion=4.0.4 +jaxbApiVersion=4.0.4 jaxbVersion=4.0.5 jaxrpcVersion=1.1