From 9a1a7716f21d089fdf5004438dcf443c8a4340ac Mon Sep 17 00:00:00 2001
From: Amit Kumar <ak.nitrr13@gmail.com>
Date: Fri, 17 Apr 2026 13:40:31 +0000
Subject: [PATCH] fix(deps): clear all 12 known CVEs from the 2026-04-17
 baseline
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps every dependency flagged by the OSV-Scanner + Dependabot pass to
its fixed version. Re-running OSV after this commit: 0 findings.

Maven (all transitive, overridden via pom properties and
dependencyManagement — nothing to change in our direct dep list):

  tomcat-embed-core       11.0.20 -> 11.0.21   (tomcat.version property)
    CVE-2026-34483 HIGH: JsonAccessLogValve improper encoding
    CVE-2026-34487 HIGH: sensitive info insertion into log file
    CVE-2026-34500 MOD : CLIENT_CERT auth does not fail as expected

  tools.jackson.core:*    3.1.0   -> 3.1.1     (explicit management entries)
    GHSA-2m67-wjpj-xhg9 HIGH: document length bypass in blocking/async/
                              DataInput parsers

  log4j-core              2.25.3  -> 2.25.4    (explicit management entry)
    CVE-2026-34477 MOD : verifyHostName silently ignored in TLS config
    CVE-2026-34478 MOD : log injection in Rfc5424Layout
    CVE-2026-34480 MOD : silent log-event loss in XmlLayout

  log4j-layout-template-json  2.25.3 -> 2.25.4
    CVE-2026-34481 MOD : improper serialization of non-finite floats

  shiro-core              2.0.6   -> 2.1.0
    CVE-2026-23901 LOW : observable timing discrepancy
    (pulled in by neo4j-security)

  mcp-core                1.1.0   -> 1.1.1
    CVE-2026-34237 MOD : hardcoded wildcard CORS on MCP endpoints.
    Load-bearing for us — our read-only MCP API should not accept
    cross-origin requests from arbitrary origins.

npm (direct dev dependency):

  vite                    6.4.1   -> 6.4.2     (src/main/frontend/)
    CVE-2026-39363 HIGH: arbitrary file read via dev server WebSocket
    CVE-2026-39365 MOD : path traversal in optimized deps .map handling
    Dev-only (build tool) — blast radius is the developer machine.

Note on Jackson: Spring Boot 4.0.5's `<jackson.version>` property pins
only the new-API artifacts (tools.jackson.core:*) — Spring Boot does
not propagate it to them, so the property override by itself is a
no-op. Explicit <dependencyManagement> entries for jackson-core /
-databind / -annotations are required until the Boot BOM catches up.

Revert hints are captured in the pom's comment blocks so when Spring
Boot 4.0.6+ / the Spring-AI BOM / Neo4j 2026.02.4 ship with these
versions naturally, these overrides can go away.

Verified:
  mvn test       -> 3,059 tests, 0 failures, 0 errors
  osv-scanner     -> 0 findings (was 12: 4 HIGH / 7 MOD / 1 LOW)
  dependency:tree -> all 6 Maven and 1 npm versions match fix targets
---
 pom.xml                             | 76 +++++++++++++++++++++++++++++
 src/main/frontend/package-lock.json |  8 +--
 src/main/frontend/package.json      |  4 +-
 3 files changed, 82 insertions(+), 6 deletions(-)

diff --git a/pom.xml b/pom.xml
index c193d8ed..ec1fa21d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -29,6 +29,21 @@
         <spotbugs.version>4.9.8.3</spotbugs.version>
         <owasp.dependency-check.version>12.2.0</owasp.dependency-check.version>
         <checkstyle-plugin.version>3.6.0</checkstyle-plugin.version>
+
+        <!--
+          Security override: Spring Boot 4.0.5 pulls tomcat-embed-core 11.0.20
+          and jackson (tools.jackson.core) 3.1.0; both have CVEs fixed in the
+          next patch release. Bumping these via the Spring-Boot-managed
+          properties so all starter-managed artifacts pick up the fix
+          without a full Spring Boot version change. Revert these when
+          Spring Boot 4.0.6+ ships with the same or newer versions.
+            tomcat 11.0.20 -> 11.0.21  (CVE-2026-34483 HIGH,
+                                        CVE-2026-34487 HIGH,
+                                        CVE-2026-34500 MODERATE)
+            jackson 3.1.0  -> 3.1.1    (GHSA-2m67-wjpj-xhg9 HIGH)
+        -->
+        <tomcat.version>11.0.21</tomcat.version>
+        <jackson.version>3.1.1</jackson.version>
     </properties>
 
     <dependencyManagement>
@@ -40,6 +55,67 @@
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
+
+            <!--
+              Security overrides for transitive CVE-affected dependencies that
+              Spring Boot's managed-versions machinery does not cover:
+                log4j-core 2.25.3 -> 2.25.4          (CVE-2026-34477 MOD,
+                                                      CVE-2026-34478 MOD,
+                                                      CVE-2026-34480 MOD)
+                log4j-layout-template-json 2.25.3 -> 2.25.4  (CVE-2026-34481 MOD)
+                  •both pulled in transitively by Neo4j 2026.02.3.
+                shiro-core 2.0.6 -> 2.1.0            (CVE-2026-23901 LOW)
+                  •pulled in by neo4j-security.
+                mcp-core 1.1.0 -> 1.1.1              (CVE-2026-34237 MOD)
+                  •hardcoded wildcard CORS; pulled in by Spring AI MCP
+                  starter. Directly load-bearing for our read-only MCP
+                  endpoints: fix is non-optional.
+              Revert overrides once the upstream BOMs ship matching versions.
+            -->
+            <dependency>
+                <groupId>org.apache.logging.log4j</groupId>
+                <artifactId>log4j-core</artifactId>
+                <version>2.25.4</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.logging.log4j</groupId>
+                <artifactId>log4j-layout-template-json</artifactId>
+                <version>2.25.4</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.shiro</groupId>
+                <artifactId>shiro-core</artifactId>
+                <version>2.1.0</version>
+            </dependency>
+            <dependency>
+                <groupId>io.modelcontextprotocol.sdk</groupId>
+                <artifactId>mcp-core</artifactId>
+                <version>1.1.1</version>
+            </dependency>
+
+            <!--
+              Explicit override for Jackson 3.x (tools.jackson.core). Spring
+              Boot 4.0.5's managed-versions machinery pins these to 3.1.0 via
+              its own BOM and the `<jackson.version>` property does not
+              propagate to the new-API artifacts. Pin to 3.1.1 until Spring
+              Boot 4.0.6+ ships with the fix (GHSA-2m67-wjpj-xhg9 HIGH,
+              document length bypass in blocking/async/DataInput parsers).
+            -->
+            <dependency>
+                <groupId>tools.jackson.core</groupId>
+                <artifactId>jackson-core</artifactId>
+                <version>3.1.1</version>
+            </dependency>
+            <dependency>
+                <groupId>tools.jackson.core</groupId>
+                <artifactId>jackson-databind</artifactId>
+                <version>3.1.1</version>
+            </dependency>
+            <dependency>
+                <groupId>tools.jackson.core</groupId>
+                <artifactId>jackson-annotations</artifactId>
+                <version>3.1.1</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 
diff --git a/src/main/frontend/package-lock.json b/src/main/frontend/package-lock.json
index b681787c..b409fc47 100644
--- a/src/main/frontend/package-lock.json
+++ b/src/main/frontend/package-lock.json
@@ -24,7 +24,7 @@
         "@types/react-dom": "^18.3.5",
         "@vitejs/plugin-react": "^4.3.4",
         "typescript": "~5.7.3",
-        "vite": "^6.1.0"
+        "vite": "^6.4.2"
       }
     },
     "node_modules/@ant-design/colors": {
@@ -2975,9 +2975,9 @@
       }
     },
     "node_modules/vite": {
-      "version": "6.4.1",
-      "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.1.tgz",
-      "integrity": "sha512-+Oxm7q9hDoLMyJOYfUYBuHQo+dkAloi33apOPP56pzj+vsdJDzr+j1NISE5pyaAuKL4A3UD34qd0lx5+kfKp2g==",
+      "version": "6.4.2",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.2.tgz",
+      "integrity": "sha512-2N/55r4JDJ4gdrCvGgINMy+HH3iRpNIz8K6SFwVsA+JbQScLiC+clmAxBgwiSPgcG9U15QmvqCGWzMbqda5zGQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
diff --git a/src/main/frontend/package.json b/src/main/frontend/package.json
index 3717f488..19eabb14 100644
--- a/src/main/frontend/package.json
+++ b/src/main/frontend/package.json
@@ -12,8 +12,8 @@
     "test:e2e:report": "playwright show-report"
   },
   "dependencies": {
-    "antd": "^5.24.7",
     "@ant-design/icons": "^5.6.1",
+    "antd": "^5.24.7",
     "echarts": "^5.6.0",
     "echarts-for-react": "^3.0.2",
     "react": "^18.3.1",
@@ -32,6 +32,6 @@
     "@types/react-dom": "^18.3.5",
     "@vitejs/plugin-react": "^4.3.4",
     "typescript": "~5.7.3",
-    "vite": "^6.1.0"
+    "vite": "^6.4.2"
   }
 }