RandomCodeSpace · aksOps · Apr 17, 2026 · Apr 17, 2026
diff --git a/pom.xml b/pom.xml
@@ -29,6 +29,21 @@
         <spotbugs.version>4.9.8.3</spotbugs.version>
         <owasp.dependency-check.version>12.2.0</owasp.dependency-check.version>
         <checkstyle-plugin.version>3.6.0</checkstyle-plugin.version>
+
+        <!--
+          Security override: Spring Boot 4.0.5 pulls tomcat-embed-core 11.0.20
+          and jackson (tools.jackson.core) 3.1.0; both have CVEs fixed in the
+          next patch release. Bumping these via the Spring-Boot-managed
+          properties so all starter-managed artifacts pick up the fix
+          without a full Spring Boot version change. Revert these when
+          Spring Boot 4.0.6+ ships with the same or newer versions.
+            tomcat 11.0.20 -> 11.0.21  (CVE-2026-34483 HIGH,
+                                        CVE-2026-34487 HIGH,
+                                        CVE-2026-34500 MODERATE)
+            jackson 3.1.0  -> 3.1.1    (GHSA-2m67-wjpj-xhg9 HIGH)
+        -->
+        <tomcat.version>11.0.21</tomcat.version>
+        <jackson.version>3.1.1</jackson.version>
     </properties>
 
     <dependencyManagement>
@@ -40,6 +55,67 @@
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
+
+            <!--
+              Security overrides for transitive CVE-affected dependencies that
+              Spring Boot's managed-versions machinery does not cover:
+                log4j-core 2.25.3 -> 2.25.4          (CVE-2026-34477 MOD,
+                                                      CVE-2026-34478 MOD,
+                                                      CVE-2026-34480 MOD)
+                log4j-layout-template-json 2.25.3 -> 2.25.4  (CVE-2026-34481 MOD)
+                  •both pulled in transitively by Neo4j 2026.02.3.
+                shiro-core 2.0.6 -> 2.1.0            (CVE-2026-23901 LOW)
+                  •pulled in by neo4j-security.
+                mcp-core 1.1.0 -> 1.1.1              (CVE-2026-34237 MOD)
+                  •hardcoded wildcard CORS; pulled in by Spring AI MCP
+                  starter. Directly load-bearing for our read-only MCP
+                  endpoints: fix is non-optional.
+              Revert overrides once the upstream BOMs ship matching versions.
+            -->
+            <dependency>
+                <groupId>org.apache.logging.log4j</groupId>
+                <artifactId>log4j-core</artifactId>
+                <version>2.25.4</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.logging.log4j</groupId>
+                <artifactId>log4j-layout-template-json</artifactId>
+                <version>2.25.4</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.shiro</groupId>
+                <artifactId>shiro-core</artifactId>
+                <version>2.1.0</version>
+            </dependency>
+            <dependency>
+                <groupId>io.modelcontextprotocol.sdk</groupId>
+                <artifactId>mcp-core</artifactId>
+                <version>1.1.1</version>
+            </dependency>
+
+            <!--
+              Explicit override for Jackson 3.x (tools.jackson.core). Spring
+              Boot 4.0.5's managed-versions machinery pins these to 3.1.0 via
+              its own BOM and the `<jackson.version>` property does not
+              propagate to the new-API artifacts. Pin to 3.1.1 until Spring
+              Boot 4.0.6+ ships with the fix (GHSA-2m67-wjpj-xhg9 HIGH,
+              document length bypass in blocking/async/DataInput parsers).
+            -->
+            <dependency>
+                <groupId>tools.jackson.core</groupId>
+                <artifactId>jackson-core</artifactId>
+                <version>3.1.1</version>
+            </dependency>
+            <dependency>
+                <groupId>tools.jackson.core</groupId>
+                <artifactId>jackson-databind</artifactId>
+                <version>3.1.1</version>
+            </dependency>
+            <dependency>
+                <groupId>tools.jackson.core</groupId>
+                <artifactId>jackson-annotations</artifactId>
+                <version>3.1.1</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 

diff --git a/src/main/frontend/package-lock.json b/src/main/frontend/package-lock.json
diff --git a/src/main/frontend/package.json b/src/main/frontend/package.json
@@ -12,8 +12,8 @@
     "test:e2e:report": "playwright show-report"
   },
   "dependencies": {
-    "antd": "^5.24.7",
     "@ant-design/icons": "^5.6.1",
+    "antd": "^5.24.7",
     "echarts": "^5.6.0",
     "echarts-for-react": "^3.0.2",
     "react": "^18.3.1",
@@ -32,6 +32,6 @@
     "@types/react-dom": "^18.3.5",
     "@vitejs/plugin-react": "^4.3.4",
     "typescript": "~5.7.3",
-    "vite": "^6.1.0"
+    "vite": "^6.4.2"
   }
 }