From c0ba67ec37a1bc0c82e9946ff4dd25167b662db3 Mon Sep 17 00:00:00 2001
From: Damien Palacio <damien.palacio@getyourguide.com>
Date: Tue, 9 Jun 2026 15:50:20 +0200
Subject: [PATCH] LTECH-532: Override tomcat-embed to 11.0.22 to patch CVEs

Spring Boot 4.0.6 manages tomcat-embed-core 11.0.21, which is affected
by 7 Dependabot advisories (LTECH-523/524/525/526/527/532/533),
including 3 CRITICAL. Pin tomcat.version to 11.0.22, the first patched
release, via the Spring dependency-management property.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 build.gradle | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/build.gradle b/build.gradle
index 57ddf3e..bfb9726 100644
--- a/build.gradle
+++ b/build.gradle
@@ -13,6 +13,8 @@ java {
 	}
 }
 
+ext['tomcat.version'] = '11.0.22'
+
 configurations {
 	compileOnly {
 		extendsFrom annotationProcessor