From 5af0a9e988706ab41614188888f8ead36edfc015 Mon Sep 17 00:00:00 2001 From: github-actions Date: Fri, 1 May 2026 17:38:09 +0000 Subject: [PATCH 1/7] Update labkeyVersion to 26.6-SNAPSHOT --- gradle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index a689b84436..22592d9632 100644 --- a/gradle.properties +++ b/gradle.properties @@ -44,7 +44,7 @@ buildFromSource=true # The default version for LabKey artifacts that are built or that we depend on. # override in an individual module's gradle.properties file as necessary -labkeyVersion=26.5-SNAPSHOT +labkeyVersion=26.6-SNAPSHOT labkeyClientApiVersion=7.2.0 # Uncomment the following line to download proteomics binaries From 6b5ae6ae54e506679e1061925de606781ba84605 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Wed, 6 May 2026 08:15:09 -0700 Subject: [PATCH 2/7] Bump dependency versions (#1361) * Bump dependency versions * Quiet noisy IOUtils method --- gradle.properties | 24 +++++++++---------- server/embedded/src/main/resources/log4j2.xml | 3 +++ 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/gradle.properties b/gradle.properties index 22592d9632..9007776a3c 100644 --- a/gradle.properties +++ b/gradle.properties @@ -57,7 +57,7 @@ windowsProteomicsBinariesVersion=1.0 artifactoryPluginVersion=5.2.5 gradleNodePluginVersion=7.1.0 gradlePluginsVersion=8.1.0 -owaspDependencyCheckPluginVersion=12.2.1 +owaspDependencyCheckPluginVersion=12.2.2 # Versions of node and npm to use during the build. If set, these versions # will be downloaded and used. If not set, the existing local installations will be used @@ -87,7 +87,7 @@ angusMailVersion=2.0.5 annotationsVersion=15.0 -antVersion=1.10.15 +antVersion=1.10.17 antlrST4Version=4.3.4 @@ -123,14 +123,14 @@ commonmarkVersion=0.28.0 # the beanutils version is not the default version brought from commons-validator and/or commons-digester # in the :server:api module but is required for some of our code to compile commonsBeanutilsVersion=1.11.0 -commonsCodecVersion=1.21.0 +commonsCodecVersion=1.22.0 commonsCollections4Version=4.5.0 commonsCollectionsVersion=3.2.2 commonsCompressVersion=1.28.0 commonsDbcpVersion=1.4 commonsDigesterVersion=1.8.1 commonsDiscoveryVersion=0.2 -commonsIoVersion=2.21.0 +commonsIoVersion=2.22.0 commonsLang3Version=3.20.0 commonsLangVersion=2.6 commonsLoggingVersion=1.3.6 @@ -140,7 +140,7 @@ commonsTextVersion=1.15.0 commonsValidatorVersion=1.10.1 commonsVfs2Version=2.10.0 -datadogVersion=1.61.0 +datadogVersion=1.62.0 dom4jVersion=2.2.0 @@ -164,7 +164,7 @@ googleOauthClientVersion=1.39.0 googleProtocolBufVersion=3.25.9 graphSupportVersion=1.5.2 -grpcVersion=1.80.0 +grpcVersion=1.81.0 # Cloud and SequenceAnalysis bring gson in as a transitive dependency. # We resolve to the later version here to keep things consistent @@ -196,15 +196,15 @@ httpcoreVersion=4.4.16 intellijKotlinVersion=2.3.10 # Update the three Jackson dependency versions below in tandem, unless one gets a patch release out-of-sync with the others -jacksonVersion=2.21.2 -jacksonDatabindVersion=2.21.2 -jacksonJaxrsBaseVersion=2.21.2 +jacksonVersion=2.21.3 +jacksonDatabindVersion=2.21.3 +jacksonJaxrsBaseVersion=2.21.3 # Note the inconsistent version numbering for "annotations"... it no longer matches the above jacksonAnnotationsVersion=2.21 # Spring Boot brings in a transitive dependency on Jackson 3.x. It has changed package names and can coexist with Jackson 2.x. -jackson3Version=3.1.1 +jackson3Version=3.1.3 # The Jakarta Activation API version that Angus Activation implements. Keep in sync with angusActivationVersion (above). jakartaActivationApiVersion=2.1.4 @@ -242,7 +242,7 @@ jsr305Version=3.0.2 orgJsonVersion=20251224 -jsoupVersion=1.22.1 +jsoupVersion=1.22.2 junitVersion=4.13.2 @@ -252,7 +252,7 @@ kaptchaVersion=2.3 log4j2Version=2.25.4 -lombokVersion=1.18.44 +lombokVersion=1.18.46 luceneVersion=10.4.0 diff --git a/server/embedded/src/main/resources/log4j2.xml b/server/embedded/src/main/resources/log4j2.xml index 8daf4ab211..d800267885 100644 --- a/server/embedded/src/main/resources/log4j2.xml +++ b/server/embedded/src/main/resources/log4j2.xml @@ -222,6 +222,9 @@ + + + From 110c9409d4a88d86bd623559075cf75e757fe101 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 6 May 2026 17:32:30 -0700 Subject: [PATCH 3/7] [bot] Merge 26.5 to develop (#1364) * Update Apache Mina & Spring to the latest versions (#1359) * Update PostgreSQL JDBC driver (#1360) * Upgrade to Spring AI 2.0.0-M5 (#1352) * Upgrade to Spring AI 2.0.0-M5 * Bump Spring Framework and Spring Boot as well --------- Co-authored-by: Adam Rauch Co-authored-by: Lum Co-authored-by: github-actions --- build.gradle | 3 --- gradle.properties | 17 ++++++++--------- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/build.gradle b/build.gradle index ed890c6e1a..5f530565bd 100644 --- a/build.gradle +++ b/build.gradle @@ -379,9 +379,6 @@ allprojects { force "org.springframework:spring-messaging:${springVersion}" force "org.springframework:spring-webflux:${springVersion}" - // spring-ai dependency. Force to mitigate a CVE. - force "io.modelcontextprotocol.sdk:mcp:${modelContextProtocolVersion}" - // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}" diff --git a/gradle.properties b/gradle.properties index 9007776a3c..800c8a914c 100644 --- a/gradle.properties +++ b/gradle.properties @@ -93,8 +93,8 @@ antlrST4Version=4.3.4 #Unifying version used by DISCVR and Premium apacheDirectoryVersion=2.1.7 -#Transitive dependency of Apache directory: 2.0.18 contains some regressions -apacheMinaVersion=2.2.5 +#Transitive dependency of Apache directory +apacheMinaVersion=2.2.7 # Usually matches the version specified as a Spring Boot dependency (see springBootVersion below) apacheTomcatVersion=11.0.21 @@ -259,9 +259,6 @@ luceneVersion=10.4.0 # Microsoft library for sending OAuth2-authenticated notification emails via the Microsoft Graph API microsoftGraphVersion=6.59.0 -# Spring-AI dependency that's showing a CVE -modelContextProtocolVersion=1.1.2 - mssqlJdbcVersion=13.4.0.jre11 # Netty - transitive dependency via azure-core-http-netty; force for CVE-2026-33871, CVE-2026-33870 @@ -269,6 +266,8 @@ nettyVersion=4.2.12.Final # Reactor - transitive dependency via azure-core; force for version consistency across modules reactorCoreVersion=3.8.1 +mssqlJdbcVersion=13.2.1.jre11 + objenesisVersion=1.0 opencsvVersion=2.3 @@ -283,7 +282,7 @@ poiVersion=5.5.1 pollingWatchVersion=0.2.0 -postgresqlDriverVersion=42.7.10 +postgresqlDriverVersion=42.7.11 quartzVersion=2.5.2 @@ -306,10 +305,10 @@ slf4jLog4jApiVersion=2.0.17 snappyJavaVersion=1.1.10.8 # Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version -springBootVersion=4.0.5 +springBootVersion=4.0.6 # This usually matches the Spring Framework version dictated by springBootVersion -springVersion=7.0.6 -springAiVersion=2.0.0-M4 +springVersion=7.0.7 +springAiVersion=2.0.0-M5 sqliteJdbcVersion=3.53.0.0 From 3c4f2c9a9f06a620a7dc2cd99f28cceb83bce73c Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Thu, 7 May 2026 14:04:08 -0700 Subject: [PATCH 4/7] Remove errant MSSQL JDBC property (#1365) --- gradle.properties | 2 -- 1 file changed, 2 deletions(-) diff --git a/gradle.properties b/gradle.properties index 800c8a914c..ee364416cd 100644 --- a/gradle.properties +++ b/gradle.properties @@ -266,8 +266,6 @@ nettyVersion=4.2.12.Final # Reactor - transitive dependency via azure-core; force for version consistency across modules reactorCoreVersion=3.8.1 -mssqlJdbcVersion=13.2.1.jre11 - objenesisVersion=1.0 opencsvVersion=2.3 From 5f97f56d87436a9b3d7dfbdb6dfefbf86e45d504 Mon Sep 17 00:00:00 2001 From: Susan Hert Date: Mon, 11 May 2026 09:30:00 -0700 Subject: [PATCH 5/7] Issue 1090: Gradle plugins built with plugin validation. (#1369) --- build.gradle | 4 ++-- gradle.properties | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index 5f530565bd..d5e6b50ae7 100644 --- a/build.gradle +++ b/build.gradle @@ -16,7 +16,7 @@ plugins { id "com.jfrog.artifactory" version "${artifactoryPluginVersion}" apply false id "com.github.node-gradle.node" version "${gradleNodePluginVersion}" apply false id "org.owasp.dependencycheck" version "${owaspDependencyCheckPluginVersion}" apply false -// id "com.github.ben-manes.versions" version "0.39.0" + id "com.github.ben-manes.versions" version "0.54.0" id "org.labkey.build.multiGit" } @@ -586,7 +586,7 @@ project.tasks.register('ijConfigure') { task.dependsOn(project.tasks.ijRunConfigurationsSetup) } -if (project.hasProperty('artifactory_contextUrl') && project.hasProperty('artifactory_user') && project.hasProperty('artifactory_password')) +if (BuildUtils.hasArtifactoryProperties(project as Project)) { project.tasks.register('purgeNpmAlphaVersions', PurgeNpmAlphaVersions) { group = GroupNames.NPM_RUN diff --git a/gradle.properties b/gradle.properties index ee364416cd..76550cc369 100644 --- a/gradle.properties +++ b/gradle.properties @@ -56,7 +56,7 @@ windowsProteomicsBinariesVersion=1.0 # The current version numbers for the gradle plugins. artifactoryPluginVersion=5.2.5 gradleNodePluginVersion=7.1.0 -gradlePluginsVersion=8.1.0 +gradlePluginsVersion=8.2.0 owaspDependencyCheckPluginVersion=12.2.2 # Versions of node and npm to use during the build. If set, these versions From e0f0957e2c3f47def863ac21db8a6a01f89b1cb1 Mon Sep 17 00:00:00 2001 From: Josh Eckels Date: Mon, 11 May 2026 16:54:32 -0700 Subject: [PATCH 6/7] Remove versions for GWT and Jakarta annotations (#1368) * Remove versions for GWT and Jakarta annotations --- build.gradle | 2 +- gradle.properties | 5 ----- .../bootstrap/src/org/labkey/bootstrap/ExplodedModule.java | 5 +---- .../src/org/labkey/bootstrap/LabKeyBootstrapClassLoader.java | 2 +- server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java | 4 ++-- .../embedded/src/org/labkey/embedded/LabKeyDeleteAction.java | 4 ++-- .../src/org/labkey/embedded/LabKeySpringBootClassLoader.java | 4 ++-- .../labkey/embedded/LabKeyTomcatServletWebServerFactory.java | 4 ++-- 8 files changed, 11 insertions(+), 19 deletions(-) diff --git a/build.gradle b/build.gradle index d5e6b50ae7..f6feda9094 100644 --- a/build.gradle +++ b/build.gradle @@ -48,7 +48,7 @@ allprojects { analyzers.ossIndex.enabled = false } formats = ['HTML', 'JUNIT'] - skipConfigurations = ['dedupe', 'gwtCompileClasspath', 'gwtRuntimeClasspath', 'developmentOnly'] + skipConfigurations = ['dedupe', 'developmentOnly'] skipProjects = [':server:testAutomation'] nvd { diff --git a/gradle.properties b/gradle.properties index 76550cc369..9dd48f82f2 100644 --- a/gradle.properties +++ b/gradle.properties @@ -174,10 +174,6 @@ gsonVersion=2.8.9 guavaVersion=33.6.0-jre -# Note: You won't find usages in the product sources; this property is used by the gradle plugin. -gwtVersion=2.13.0 -gwtServletJakartaVersion=2.13.0 - # force hadoop-hdfs-client for CVE-2021-37404, CVE-2022-25168, CVE-2022-26612, CVE-2021-25642, CVE-2021-33036, CVE-2023-26031, hadoopHdfsClientVersion=3.4.1 @@ -322,7 +318,6 @@ tikaVersion=3.3.0 tukaaniXZVersion=1.12 validationApiVersion=1.1.0.Final -validationJakartaApiVersion=3.0.2 # NLP and SAML bring woodstox-core in as a transitive dependency but with very different versions. We force the later version. woodstoxCoreVersion=7.1.1 diff --git a/server/bootstrap/src/org/labkey/bootstrap/ExplodedModule.java b/server/bootstrap/src/org/labkey/bootstrap/ExplodedModule.java index c0a35e160a..c4582e35c4 100644 --- a/server/bootstrap/src/org/labkey/bootstrap/ExplodedModule.java +++ b/server/bootstrap/src/org/labkey/bootstrap/ExplodedModule.java @@ -54,8 +54,7 @@ public class ExplodedModule // With Gradle 1.8, we removed the -jsp classifier at the end of the jar file name, so we need to identify by the string _jsp- in the middle of the jar file name (e.g., announcements_jsp-19.3-SNAPSHOT.jar) private static final FilenameFilter _jspJarFilter = (dir, name) -> name.toLowerCase().contains("_jsp-"); private static final FilenameFilter _springConfigFilter = (dir, name) -> name.toLowerCase().endsWith("context.xml"); - private static final FilenameFilter _moduleXmlFilter = (dir, name) -> name.toLowerCase().equals("module.xml"); - private static final FilenameFilter _gwtFilter = (dir, name) -> name.endsWith(".gwt.rpc"); + private static final FilenameFilter _moduleXmlFilter = (dir, name) -> name.equalsIgnoreCase("module.xml"); private static final FilenameFilter _jarFilter = (dir, name) -> { String lowerName = name.toLowerCase(); @@ -139,8 +138,6 @@ public Set deployToWebApp(File webAppDirectory) throws IOException Set webAppFiles = new HashSet<>(); copyBranch(new File(getRootDirectory(), WEB_CONTENT_PATH + "/WEB-INF"), new File(webAppDirectory, "WEB-INF"), webAppFiles); - // GWTServlet depends on finding its gwt.rpc artifacts in the webapp - copyBranch(new File(getRootDirectory(), WEB_CONTENT_PATH), webAppDirectory, webAppFiles, _gwtFilter); copyFiles(getFiles(CONFIG_PATH, _springConfigFilter), webInfDir, webAppFiles); diff --git a/server/bootstrap/src/org/labkey/bootstrap/LabKeyBootstrapClassLoader.java b/server/bootstrap/src/org/labkey/bootstrap/LabKeyBootstrapClassLoader.java index fee0f876bc..dba63cc5a4 100644 --- a/server/bootstrap/src/org/labkey/bootstrap/LabKeyBootstrapClassLoader.java +++ b/server/bootstrap/src/org/labkey/bootstrap/LabKeyBootstrapClassLoader.java @@ -377,7 +377,7 @@ public File getDeletedModulesDirectory() } catch (IOException x) { - _log.info("Could not set hidden attribute on directory: " + deleted.getPath()); + _log.info("Could not set hidden attribute on directory: {}", deleted.getPath()); } } diff --git a/server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java b/server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java index b613a1ce51..171f45e075 100644 --- a/server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java +++ b/server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java @@ -87,7 +87,7 @@ private String nameFromModuleXML(InputStream is) throws IOException @Override public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException { - String parent = elementStack.isEmpty() ? "" : elementStack.get(elementStack.size()-1); + String parent = elementStack.isEmpty() ? "" : elementStack.getLast(); elementStack.add(qName+"#"+attributes.getValue("id")); if (qName.equals("property") && "bean#moduleBean".equals(parent)) { @@ -99,7 +99,7 @@ public void startElement(String uri, String localName, String qName, Attributes @Override public void endElement(String uri, String localName, String qName) throws SAXException { - elementStack.remove(elementStack.size()-1); + elementStack.removeLast(); } }); diff --git a/server/embedded/src/org/labkey/embedded/LabKeyDeleteAction.java b/server/embedded/src/org/labkey/embedded/LabKeyDeleteAction.java index ed2e503b13..ccada2831d 100644 --- a/server/embedded/src/org/labkey/embedded/LabKeyDeleteAction.java +++ b/server/embedded/src/org/labkey/embedded/LabKeyDeleteAction.java @@ -151,7 +151,7 @@ private List selectFilesToDelete(Path basePath, List 0) { Path target = logToRetain.getPath().getParent().resolve("labkey-errors-" + DATE_FORMAT.format(new Date()) + ".log"); - LOGGER.info("Retaining labkey-errors.log file before it gets deleted by rotation. Copying to " + target); + LOGGER.info("Retaining labkey-errors.log file before it gets deleted by rotation. Copying to {}", target); try { @@ -161,7 +161,7 @@ private List selectFilesToDelete(Path basePath, List loadClass(String name, boolean resolve) throws ClassNotFoundExce ClassLoader parent = getParent(); while (parent != null) { - LOG.debug("Looking for SessionAppending - checking ClassLoader " + parent); + LOG.debug("Looking for SessionAppending - checking ClassLoader {}", parent); if (parent.getClass().getName().equals("jdk.internal.loader.ClassLoaders$AppClassLoader") || parent.getClass().getName().equals("org.springframework.boot.loader.launch.LaunchedClassLoader")) { diff --git a/server/embedded/src/org/labkey/embedded/LabKeyTomcatServletWebServerFactory.java b/server/embedded/src/org/labkey/embedded/LabKeyTomcatServletWebServerFactory.java index 0c5f870704..4fdb3c53b6 100644 --- a/server/embedded/src/org/labkey/embedded/LabKeyTomcatServletWebServerFactory.java +++ b/server/embedded/src/org/labkey/embedded/LabKeyTomcatServletWebServerFactory.java @@ -394,12 +394,12 @@ private String getPropValue(Map propValues, Integer resourceKey { if (propValues == null) { - LOG.debug(String.format("%1$s property was not provided, using default", propName)); + LOG.debug("{} property was not provided, using default", propName); return defaultValue; } if (!propValues.containsKey(resourceKey)) - LOG.debug(String.format("%1$s property was not provided for resource [%2$s], using default [%3$s]", propName, resourceKey, defaultValue)); + LOG.debug("{} property was not provided for resource [{}], using default [{}]", propName, resourceKey, defaultValue); String val = propValues.getOrDefault(resourceKey, defaultValue); return val != null && !val.isBlank() ? val.trim() : defaultValue; From 14c7d5d7495279220ea966116450ce154ba114f5 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Wed, 13 May 2026 08:49:42 -0700 Subject: [PATCH 7/7] Update Netty --- gradle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index 9dd48f82f2..6cf74cb15a 100644 --- a/gradle.properties +++ b/gradle.properties @@ -258,7 +258,7 @@ microsoftGraphVersion=6.59.0 mssqlJdbcVersion=13.4.0.jre11 # Netty - transitive dependency via azure-core-http-netty; force for CVE-2026-33871, CVE-2026-33870 -nettyVersion=4.2.12.Final +nettyVersion=4.2.13.Final # Reactor - transitive dependency via azure-core; force for version consistency across modules reactorCoreVersion=3.8.1