Skip to content

Upgrade dependencies to address security vulnerabilities#5

Merged
askeita merged 4 commits into
mainfrom
dev
May 27, 2026
Merged

Upgrade dependencies to address security vulnerabilities#5
askeita merged 4 commits into
mainfrom
dev

Conversation

@askeita
Copy link
Copy Markdown
Owner

@askeita askeita commented May 25, 2026
edited
Loading

This pull request updates the pom.xml to address several security vulnerabilities by overriding specific dependencies with newer, secure versions. It also introduces new properties for dependency versions to make future updates easier.

Security and Dependency Updates:

  • MCP SDK and Core Updates

    • Added mcp-core and mcp dependencies at version 1.0.1 to address CVE-2026-34237 and CVE-2026-35568.
    • Introduced the mcp-sdk.version property for easier version management.

  • Jackson 3 Updates

  • Logback Update

    • Added the logback.version property for future dependency management.This pull request updates several dependencies in the pom.xml file to keep the project up to date with the latest versions and improve compatibility and security. The most important changes are grouped below:

Dependency version upgrades:

  • Upgraded the Spring Boot parent version from 3.4.4 to 3.4.7 to include the latest bug fixes and improvements.
  • Updated the spring-ai version from 1.0.0 to 1.0.7 for enhanced AI integration support.
  • Added a new property for jackson-bom.version set to 2.18.6 to manage Jackson dependencies more effectively.
  • Upgraded the sqlite-jdbc dependency from 3.47.1.0 to 3.49.1.0 for improved database compatibility and bug fixes.

Copilot AI review requested due to automatic review settings May 25, 2026 21:24
Copilot AI reviewed May 25, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request updates Maven dependency versions in pom.xml to incorporate upstream bugfixes and security patches (notably Spring Boot, Spring AI, and SQLite JDBC).

Changes:

  • Bumped Spring Boot parent from 3.4.4 to 3.4.7.
  • Updated spring-ai.version from 1.0.0 to 1.0.7.
  • Added a jackson-bom.version property and upgraded sqlite-jdbc from 3.47.1.0 to 3.49.1.0.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pom.xml
askeita added 4 commits May 27, 2026 09:26
@askeita
fix: upgrade logback to 1.5.25 to fix CVE-2025-11226 and CVE-2026-1225
f7961a4
@askeita
fix: upgrade mcp-core to 1.0.1 to fix CVE-2026-34237 and CVE-2026-35568
32cacf2
@askeita
fix: upgrade tools.jackson.core to 3.1.1 to fix CVEs
e84446f 
Fixes GHSA-72hv-8253-57qq, CVE-2026-29062, GHSA-2m67-wjpj-xhg9 in
tools.jackson.core:jackson-core (transitive via mcp-json-jackson3).
Bumped jackson3.version property to 3.1.1 and added dependencyManagement
overrides for jackson-core, jackson-databind, jackson-annotations and
jackson-dataformat-yaml.
@askeita
chore: trigger PR conflict re-evaluation
24a55a9
@askeita askeita merged commit 5e63ef1 into main May 27, 2026
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@askeita