From 72eee16c6ca62863b05c2381b19f34d29d2b83cb Mon Sep 17 00:00:00 2001 From: labkey-jeckels Date: Tue, 10 Feb 2026 21:30:00 -0800 Subject: [PATCH 1/6] Upgrade Spring AI to 2.0.0-M2 --- gradle.properties | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/gradle.properties b/gradle.properties index 60168c0af5..afbc42fe86 100644 --- a/gradle.properties +++ b/gradle.properties @@ -195,9 +195,10 @@ httpcoreVersion=4.4.16 intellijKotlinVersion=1.9.10 # Update the three Jackson dependency versions below in tandem, unless one gets a patch release out-of-sync with the others -jacksonVersion=2.21.0 -jacksonDatabindVersion=2.21.0 -jacksonJaxrsBaseVersion=2.21.0 +jacksonVersion=3.0.3 +jacksonDatabindVersion=3.0.3 +jacksonJaxrsBaseVersion=3.0.3 +jacksonJsr310Version=3.0.0-rc2 # Note the inconsistent version numbering for "annotations"... it no longer matches the above jacksonAnnotationsVersion=2.21 @@ -291,7 +292,7 @@ snappyJavaVersion=1.1.10.8 springBootVersion=4.0.2 # This usually matches the Spring Framework version dictated by springBootVersion springVersion=7.0.3 -springAiVersion=1.1.2 +springAiVersion=2.0.0-M2 sqliteJdbcVersion=3.51.1.0 From c53febcb080d96f70db7a070a4b5199870587757 Mon Sep 17 00:00:00 2001 From: labkey-jeckels Date: Wed, 11 Feb 2026 08:16:22 -0800 Subject: [PATCH 2/6] Upgrade Spring AI to 2.0.0-M2 and add Jackson 3 --- gradle.properties | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/gradle.properties b/gradle.properties index afbc42fe86..45e6e434c5 100644 --- a/gradle.properties +++ b/gradle.properties @@ -195,10 +195,13 @@ httpcoreVersion=4.4.16 intellijKotlinVersion=1.9.10 # Update the three Jackson dependency versions below in tandem, unless one gets a patch release out-of-sync with the others -jacksonVersion=3.0.3 -jacksonDatabindVersion=3.0.3 -jacksonJaxrsBaseVersion=3.0.3 -jacksonJsr310Version=3.0.0-rc2 +jacksonVersion=2.21.0 +jacksonDatabindVersion=2.21.0 +jacksonJaxrsBaseVersion=2.21.0 + +# We also need Jackson 3.x for Spring AI and new versions of Spring Boot and Spring Framework +jacksonVersion3=3.0.4 +jacksonDatabindVersion3=3.0.4 # Note the inconsistent version numbering for "annotations"... it no longer matches the above jacksonAnnotationsVersion=2.21 From 9d4ba2a47092d3172c340b1ad0ccce45c58d22f0 Mon Sep 17 00:00:00 2001 From: labkey-susanh Date: Wed, 11 Feb 2026 13:54:46 -0800 Subject: [PATCH 3/6] Update gradle plugins version to accept multiple versions of jackson libraries --- gradle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index 45e6e434c5..a89ba2ab48 100644 --- a/gradle.properties +++ b/gradle.properties @@ -59,7 +59,7 @@ windowsProteomicsBinariesVersion=1.0 # The current version numbers for the gradle plugins. artifactoryPluginVersion=5.2.5 gradleNodePluginVersion=7.1.0 -gradlePluginsVersion=7.3.0 +gradlePluginsVersion=7.4.0-multiJackson-SNAPSHOT owaspDependencyCheckPluginVersion=12.2.0 # Versions of node and npm to use during the build. If set, these versions From 35af06d4e3e058c14d95505495ff9e9972b667b4 Mon Sep 17 00:00:00 2001 From: labkey-susanh Date: Wed, 11 Feb 2026 17:42:32 -0800 Subject: [PATCH 4/6] Gradle plugins v7.3.1 --- gradle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index a89ba2ab48..574fb478d5 100644 --- a/gradle.properties +++ b/gradle.properties @@ -59,7 +59,7 @@ windowsProteomicsBinariesVersion=1.0 # The current version numbers for the gradle plugins. artifactoryPluginVersion=5.2.5 gradleNodePluginVersion=7.1.0 -gradlePluginsVersion=7.4.0-multiJackson-SNAPSHOT +gradlePluginsVersion=7.3.1 owaspDependencyCheckPluginVersion=12.2.0 # Versions of node and npm to use during the build. If set, these versions From efd7e47a571555e1c21fda9d7ae3a668b90bdac0 Mon Sep 17 00:00:00 2001 From: labkey-jeckels Date: Wed, 11 Feb 2026 23:03:00 -0800 Subject: [PATCH 5/6] No need for Jackson 3 direct dependency --- gradle.properties | 4 ---- 1 file changed, 4 deletions(-) diff --git a/gradle.properties b/gradle.properties index 8cf097394b..860a704842 100644 --- a/gradle.properties +++ b/gradle.properties @@ -199,10 +199,6 @@ jacksonVersion=2.21.0 jacksonDatabindVersion=2.21.0 jacksonJaxrsBaseVersion=2.21.0 -# We also need Jackson 3.x for Spring AI and new versions of Spring Boot and Spring Framework -jacksonVersion3=3.0.4 -jacksonDatabindVersion3=3.0.4 - # Note the inconsistent version numbering for "annotations"... it no longer matches the above jacksonAnnotationsVersion=2.21 From 6a4272cd349cc39207e64d6e0275e37e7ab6c3ac Mon Sep 17 00:00:00 2001 From: labkey-jeckels Date: Thu, 12 Feb 2026 07:15:10 -0800 Subject: [PATCH 6/6] Suppress bad CPE match for Spring AI 2.x --- dependencyCheckSuppression.xml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml index b181166d9d..99cd681ac2 100644 --- a/dependencyCheckSuppression.xml +++ b/dependencyCheckSuppression.xml @@ -194,4 +194,32 @@ ^pkg:maven/org\.mozilla/rhino@.*$ CVE-2025-66453 + + + + + ^pkg:maven/org\.springframework\.ai/spring-ai-autoconfigure-mcp-server-common@.*$ + cpe:/a:vmware:server + cpe:/a:vmware:vmware_server + + + + + ^pkg:maven/org\.springframework\.ai/spring-ai-autoconfigure-mcp-server-webmvc@.*$ + cpe:/a:vmware:server + cpe:/a:vmware:vmware_server + + + + + ^pkg:maven/org\.springframework\.ai/spring-ai-starter-mcp-server-webmvc@.*$ + cpe:/a:vmware:server + cpe:/a:vmware:vmware_server +