Update Netty

build.gradle

@@ -16,7 +16,7 @@ plugins {
     id "com.jfrog.artifactory" version "${artifactoryPluginVersion}" apply false
     id "com.github.node-gradle.node" version "${gradleNodePluginVersion}" apply false
     id "org.owasp.dependencycheck" version "${owaspDependencyCheckPluginVersion}" apply false
-//    id "com.github.ben-manes.versions" version "0.39.0"
+    id "com.github.ben-manes.versions" version "0.54.0"
     id "org.labkey.build.multiGit"
 }
 
@@ -48,7 +48,7 @@ allprojects {
                 analyzers.ossIndex.enabled = false
             }
             formats = ['HTML', 'JUNIT']
-            skipConfigurations = ['dedupe', 'gwtCompileClasspath', 'gwtRuntimeClasspath', 'developmentOnly']
+            skipConfigurations = ['dedupe', 'developmentOnly']
             skipProjects = [':server:testAutomation']
 
             nvd {
@@ -379,9 +379,6 @@ allprojects {
                     force "org.springframework:spring-messaging:${springVersion}"
                     force "org.springframework:spring-webflux:${springVersion}"
 
-                    // spring-ai dependency. Force to mitigate a CVE.
-                    force "io.modelcontextprotocol.sdk:mcp:${modelContextProtocolVersion}"
-
                     // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies
                     force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
 
@@ -589,7 +586,7 @@ project.tasks.register('ijConfigure') {
         task.dependsOn(project.tasks.ijRunConfigurationsSetup)
 }
 
-if (project.hasProperty('artifactory_contextUrl') && project.hasProperty('artifactory_user') && project.hasProperty('artifactory_password'))
+if (BuildUtils.hasArtifactoryProperties(project as Project))
 {
     project.tasks.register('purgeNpmAlphaVersions', PurgeNpmAlphaVersions) {
         group = GroupNames.NPM_RUN

gradle.properties

@@ -44,7 +44,7 @@ buildFromSource=true
 
 # The default version for LabKey artifacts that are built or that we depend on.
 # override in an individual module's gradle.properties file as necessary 
-labkeyVersion=26.5-SNAPSHOT
+labkeyVersion=26.6-SNAPSHOT
 labkeyClientApiVersion=7.2.0
 
 # Uncomment the following line to download proteomics binaries
@@ -56,8 +56,8 @@ windowsProteomicsBinariesVersion=1.0
 # The current version numbers for the gradle plugins.
 artifactoryPluginVersion=5.2.5
 gradleNodePluginVersion=7.1.0
-gradlePluginsVersion=8.1.0
-owaspDependencyCheckPluginVersion=12.2.1
+gradlePluginsVersion=8.2.0
+owaspDependencyCheckPluginVersion=12.2.2
 
 # Versions of node and npm to use during the build. If set, these versions
 # will be downloaded and used. If not set, the existing local installations will be used
@@ -87,14 +87,14 @@ angusMailVersion=2.0.5
 
 annotationsVersion=15.0
 
-antVersion=1.10.15
+antVersion=1.10.17
 
 antlrST4Version=4.3.4
 
 #Unifying version used by DISCVR and Premium
 apacheDirectoryVersion=2.1.7
-#Transitive dependency of Apache directory: 2.0.18 contains some regressions
-apacheMinaVersion=2.2.5
+#Transitive dependency of Apache directory
+apacheMinaVersion=2.2.7
 
 # Usually matches the version specified as a Spring Boot dependency (see springBootVersion below)
 apacheTomcatVersion=11.0.21
@@ -123,14 +123,14 @@ commonmarkVersion=0.28.0
 # the beanutils version is not the default version brought from commons-validator and/or commons-digester
 # in the :server:api module but is required for some of our code to compile
 commonsBeanutilsVersion=1.11.0
-commonsCodecVersion=1.21.0
+commonsCodecVersion=1.22.0
 commonsCollections4Version=4.5.0
 commonsCollectionsVersion=3.2.2
 commonsCompressVersion=1.28.0
 commonsDbcpVersion=1.4
 commonsDigesterVersion=1.8.1
 commonsDiscoveryVersion=0.2
-commonsIoVersion=2.21.0
+commonsIoVersion=2.22.0
 commonsLang3Version=3.20.0
 commonsLangVersion=2.6
 commonsLoggingVersion=1.3.6
@@ -140,7 +140,7 @@ commonsTextVersion=1.15.0
 commonsValidatorVersion=1.10.1
 commonsVfs2Version=2.10.0
 
-datadogVersion=1.61.0
+datadogVersion=1.62.0
 
 dom4jVersion=2.2.0
 
@@ -164,7 +164,7 @@ googleOauthClientVersion=1.39.0
 googleProtocolBufVersion=3.25.9
 
 graphSupportVersion=1.5.2
-grpcVersion=1.80.0
+grpcVersion=1.81.0
 
 # Cloud and SequenceAnalysis bring gson in as a transitive dependency.
 # We resolve to the later version here to keep things consistent
@@ -174,10 +174,6 @@ gsonVersion=2.8.9
 
 guavaVersion=33.6.0-jre
 
-# Note: You won't find usages in the product sources; this property is used by the gradle plugin.
-gwtVersion=2.13.0
-gwtServletJakartaVersion=2.13.0
-
 # force hadoop-hdfs-client for CVE-2021-37404, CVE-2022-25168, CVE-2022-26612, CVE-2021-25642, CVE-2021-33036, CVE-2023-26031,
 hadoopHdfsClientVersion=3.4.1
 
@@ -196,15 +192,15 @@ httpcoreVersion=4.4.16
 intellijKotlinVersion=2.3.10
 
 # Update the three Jackson dependency versions below in tandem, unless one gets a patch release out-of-sync with the others
-jacksonVersion=2.21.2
-jacksonDatabindVersion=2.21.2
-jacksonJaxrsBaseVersion=2.21.2
+jacksonVersion=2.21.3
+jacksonDatabindVersion=2.21.3
+jacksonJaxrsBaseVersion=2.21.3
 
 # Note the inconsistent version numbering for "annotations"... it no longer matches the above
 jacksonAnnotationsVersion=2.21
 
 # Spring Boot brings in a transitive dependency on Jackson 3.x. It has changed package names and can coexist with Jackson 2.x.
-jackson3Version=3.1.1
+jackson3Version=3.1.3
 
 # The Jakarta Activation API version that Angus Activation implements. Keep in sync with angusActivationVersion (above).
 jakartaActivationApiVersion=2.1.4
@@ -242,7 +238,7 @@ jsr305Version=3.0.2
 
 orgJsonVersion=20251224
 
-jsoupVersion=1.22.1
+jsoupVersion=1.22.2
 
 junitVersion=4.13.2
 
@@ -252,20 +248,17 @@ kaptchaVersion=2.3
 
 log4j2Version=2.25.4
 
-lombokVersion=1.18.44
+lombokVersion=1.18.46
 
 luceneVersion=10.4.0
 
 # Microsoft library for sending OAuth2-authenticated notification emails via the Microsoft Graph API
 microsoftGraphVersion=6.59.0
 
-# Spring-AI dependency that's showing a CVE
-modelContextProtocolVersion=1.1.2
-
 mssqlJdbcVersion=13.4.0.jre11
 
 # Netty - transitive dependency via azure-core-http-netty; force for CVE-2026-33871, CVE-2026-33870
-nettyVersion=4.2.12.Final
+nettyVersion=4.2.13.Final
 # Reactor - transitive dependency via azure-core; force for version consistency across modules
 reactorCoreVersion=3.8.1
 
@@ -283,7 +276,7 @@ poiVersion=5.5.1
 
 pollingWatchVersion=0.2.0
 
-postgresqlDriverVersion=42.7.10
+postgresqlDriverVersion=42.7.11
 
 quartzVersion=2.5.2
 
@@ -306,10 +299,10 @@ slf4jLog4jApiVersion=2.0.17
 snappyJavaVersion=1.1.10.8
 
 # Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version
-springBootVersion=4.0.5
+springBootVersion=4.0.6
 # This usually matches the Spring Framework version dictated by springBootVersion
-springVersion=7.0.6
-springAiVersion=2.0.0-M4
+springVersion=7.0.7
+springAiVersion=2.0.0-M5
 
 sqliteJdbcVersion=3.53.0.0
 
@@ -325,7 +318,6 @@ tikaVersion=3.3.0
 tukaaniXZVersion=1.12
 
 validationApiVersion=1.1.0.Final
-validationJakartaApiVersion=3.0.2
 
 # NLP and SAML bring woodstox-core in as a transitive dependency but with very different versions. We force the later version.
 woodstoxCoreVersion=7.1.1

server/bootstrap/src/org/labkey/bootstrap/ExplodedModule.java

@@ -54,8 +54,7 @@ public class ExplodedModule
     // With Gradle 1.8, we removed the -jsp classifier at the end of the jar file name, so we need to identify by the string _jsp- in the middle of the jar file name (e.g., announcements_jsp-19.3-SNAPSHOT.jar)
     private static final FilenameFilter _jspJarFilter = (dir, name) -> name.toLowerCase().contains("_jsp-");
     private static final FilenameFilter _springConfigFilter = (dir, name) -> name.toLowerCase().endsWith("context.xml");
-    private static final FilenameFilter _moduleXmlFilter = (dir, name) -> name.toLowerCase().equals("module.xml");
-    private static final FilenameFilter _gwtFilter = (dir, name) -> name.endsWith(".gwt.rpc");
+    private static final FilenameFilter _moduleXmlFilter = (dir, name) -> name.equalsIgnoreCase("module.xml");
 
     private static final FilenameFilter _jarFilter = (dir, name) -> {
         String lowerName = name.toLowerCase();
@@ -139,8 +138,6 @@ public Set<File> deployToWebApp(File webAppDirectory) throws IOException
         Set<File> webAppFiles = new HashSet<>();
 
         copyBranch(new File(getRootDirectory(), WEB_CONTENT_PATH + "/WEB-INF"), new File(webAppDirectory, "WEB-INF"), webAppFiles);
-        // GWTServlet depends on finding its gwt.rpc artifacts in the webapp
-        copyBranch(new File(getRootDirectory(), WEB_CONTENT_PATH), webAppDirectory, webAppFiles, _gwtFilter);
 
         copyFiles(getFiles(CONFIG_PATH, _springConfigFilter), webInfDir, webAppFiles);
 

server/bootstrap/src/org/labkey/bootstrap/LabKeyBootstrapClassLoader.java

@@ -377,7 +377,7 @@ public File getDeletedModulesDirectory()
             }
             catch (IOException x)
             {
-                _log.info("Could not set hidden attribute on directory: " + deleted.getPath());
+                _log.info("Could not set hidden attribute on directory: {}", deleted.getPath());
             }
         }
 

server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java

@@ -87,7 +87,7 @@ private String nameFromModuleXML(InputStream is) throws IOException
                 @Override
                 public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException
                 {
-                    String parent = elementStack.isEmpty() ? "" : elementStack.get(elementStack.size()-1);
+                    String parent = elementStack.isEmpty() ? "" : elementStack.getLast();
                     elementStack.add(qName+"#"+attributes.getValue("id"));
                     if (qName.equals("property") && "bean#moduleBean".equals(parent))
                     {
@@ -99,7 +99,7 @@ public void startElement(String uri, String localName, String qName, Attributes
                 @Override
                 public void endElement(String uri, String localName, String qName) throws SAXException
                 {
-                    elementStack.remove(elementStack.size()-1);
+                    elementStack.removeLast();
                 }
             });
 

server/embedded/src/main/resources/log4j2.xml

@@ -222,6 +222,9 @@
         <!-- Suppress POI's PackageRelationshipCollection's "Cannot convert {} in a valid relationship URI" URISyntaxExceptions, Issue 51960 -->
         <Logger name="org.apache.poi.openxml4j.opc.PackageRelationshipCollection" level="fatal"/>
 
+        <!-- Suppress IOUtils logging of errors in closeQuietly(). (I'm curious, what's your definition of "quiet", IOUtils?) GitHub Issue 1089 -->
+        <Logger name="org.apache.poi.util.IOUtils" level="fatal"/>
+
         <!-- Suppress some noisy FontBox and POI classes that log warnings during document text extraction -->
         <Logger name="org.apache.fontbox.ttf.CmapSubtable" level="error"/>
         <Logger name="org.apache.fontbox.ttf.PostScriptTable" level="error"/>

server/embedded/src/org/labkey/embedded/LabKeyDeleteAction.java

@@ -151,7 +151,7 @@ private List<PathWithAttributes> selectFilesToDelete(Path basePath, List<PathWit
         if (logToRetain != null && !_copiedOriginal && logToRetain.getAttributes().size() > 0)
         {
             Path target = logToRetain.getPath().getParent().resolve("labkey-errors-" + DATE_FORMAT.format(new Date()) + ".log");
-            LOGGER.info("Retaining labkey-errors.log file before it gets deleted by rotation. Copying to " + target);
+            LOGGER.info("Retaining labkey-errors.log file before it gets deleted by rotation. Copying to {}", target);
 
             try
             {
@@ -161,7 +161,7 @@ private List<PathWithAttributes> selectFilesToDelete(Path basePath, List<PathWit
             }
             catch (IOException e)
             {
-                LOGGER.warn("Failed to retain error log file " + logToRetain.getPath(), e);
+                LOGGER.warn("Failed to retain error log file {}", logToRetain.getPath(), e);
             }
             _copiedOriginal = true;
         }

server/embedded/src/org/labkey/embedded/LabKeySpringBootClassLoader.java

@@ -43,7 +43,7 @@ public LabKeySpringBootClassLoader(ClassLoader parent)
                         if (is != null)
                         {
                             addURL(url);
-                            LOG.info("Added URL that resolves log4j2.xml to class loader: " + url);
+                            LOG.info("Added URL that resolves log4j2.xml to class loader: {}", url);
                         }
                     }
                     catch (IOException e)
@@ -65,7 +65,7 @@ public Class<?> loadClass(String name, boolean resolve) throws ClassNotFoundExce
             ClassLoader parent = getParent();
             while (parent != null)
             {
-                LOG.debug("Looking for SessionAppending - checking ClassLoader " + parent);
+                LOG.debug("Looking for SessionAppending - checking ClassLoader {}", parent);
                 if (parent.getClass().getName().equals("jdk.internal.loader.ClassLoaders$AppClassLoader") ||
                         parent.getClass().getName().equals("org.springframework.boot.loader.launch.LaunchedClassLoader"))
                 {

server/embedded/src/org/labkey/embedded/LabKeyTomcatServletWebServerFactory.java

@@ -394,12 +394,12 @@ private String getPropValue(Map<Integer, String> propValues, Integer resourceKey
     {
         if (propValues == null)
         {
-            LOG.debug(String.format("%1$s property was not provided, using default", propName));
+            LOG.debug("{} property was not provided, using default", propName);
             return defaultValue;
         }
 
         if (!propValues.containsKey(resourceKey))
-            LOG.debug(String.format("%1$s property was not provided for resource [%2$s], using default [%3$s]", propName, resourceKey, defaultValue));
+            LOG.debug("{} property was not provided for resource [{}], using default [{}]", propName, resourceKey, defaultValue);
 
         String val = propValues.getOrDefault(resourceKey, defaultValue);
         return val != null && !val.isBlank() ? val.trim() : defaultValue;