From fd79df48f9456d986537e3f1b885f927e71eedfd Mon Sep 17 00:00:00 2001
From: Javier Aliaga <javier@diagrid.io>
Date: Tue, 31 Mar 2026 11:58:09 +0200
Subject: [PATCH 1/3] fix: upgrade dependencies to address critical CVEs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Upgrade jackson-bom 2.16.2 → 2.18.6 (CVE-2025-52999, CVSS 8.7 DoS),
add netty-bom 4.1.132.Final (CVE-2026-33871 CVSS 8.7, CVE-2026-33870
CVSS 7.5), and bump Spring Boot 3.4.9 → 3.4.10 which pulls Tomcat
10.1.46 (CVE-2025-55754 CVSS 9.6, CVE-2025-55752 CVSS 7.5).

Reorder BOM imports so netty-bom and jackson-bom take precedence over
Spring Boot's managed versions. Align springframework.version 6.2.11
with Spring Boot 3.4.10.

Signed-off-by: Javier Aliaga <javier@diagrid.io>
---
 pom.xml | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/pom.xml b/pom.xml
index fe3bd5cd2..8d8974183 100644
--- a/pom.xml
+++ b/pom.xml
@@ -42,7 +42,7 @@
     <maven.compiler.target>11</maven.compiler.target>
     <maven.compiler.release>11</maven.compiler.release>
     <maven.deploy.skip>true</maven.deploy.skip>
-    <jackson.version>2.16.2</jackson.version>
+    <jackson.version>2.18.6</jackson.version>
     <gpg.skip>true</gpg.skip>
     <spotbugs.fail>true</spotbugs.fail>
     <spotbugs.exclude.filter.file>${maven.multiModuleProjectDirectory}/spotbugs-exclude.xml</spotbugs.exclude.filter.file>
@@ -53,8 +53,8 @@
     <snakeyaml.version>2.0</snakeyaml.version>
     <testcontainers.version>1.21.4</testcontainers.version>
     <!-- Do NOT UPGRADE spring.version without checking springboot.version alignment -->
-    <springboot.version>3.4.9</springboot.version>
-    <springframework.version>6.2.7</springframework.version>
+    <springboot.version>3.4.10</springboot.version>
+    <springframework.version>6.2.11</springframework.version>
     <!-- Do NOT UPGRADE springframework.version without checking springboot.version alignment -->
     <nexus-staging-maven-plugin.version>1.7.0</nexus-staging-maven-plugin.version>
     <assertj.version>3.27.7</assertj.version>
@@ -82,6 +82,7 @@
     <opentelemetry-bom.version>2.1.0</opentelemetry-bom.version>
     <kotlin.version>2.1.0</kotlin.version>
     <rest-assured.version>5.5.1</rest-assured.version>
+    <netty.version>4.1.132.Final</netty.version>
   </properties>
 
   <distributionManagement>
@@ -106,16 +107,16 @@
       <!-- BOMs - Import first to establish baseline dependency versions         -->
       <!-- ====================================================================== -->
       <dependency>
-        <groupId>io.grpc</groupId>
-        <artifactId>grpc-bom</artifactId>
-        <version>${grpc.version}</version>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-bom</artifactId>
+        <version>${netty.version}</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
       <dependency>
-        <groupId>org.springframework.boot</groupId>
-        <artifactId>spring-boot-dependencies</artifactId>
-        <version>${springboot.version}</version>
+        <groupId>io.grpc</groupId>
+        <artifactId>grpc-bom</artifactId>
+        <version>${grpc.version}</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
@@ -126,6 +127,13 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
+      <dependency>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-dependencies</artifactId>
+        <version>${springboot.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
       <dependency>
         <groupId>org.junit</groupId>
         <artifactId>junit-bom</artifactId>

From 6a6d7c4afdc0daccb1ae6bfc3065fb4587372e25 Mon Sep 17 00:00:00 2001
From: Javier Aliaga <javier@diagrid.io>
Date: Tue, 31 Mar 2026 12:13:21 +0200
Subject: [PATCH 2/3] chore: add TODO to remove netty-bom once gRPC bundles >=
 4.1.132

Signed-off-by: Javier Aliaga <javier@diagrid.io>
---
 pom.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pom.xml b/pom.xml
index 8d8974183..68109943f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -82,6 +82,7 @@
     <opentelemetry-bom.version>2.1.0</opentelemetry-bom.version>
     <kotlin.version>2.1.0</kotlin.version>
     <rest-assured.version>5.5.1</rest-assured.version>
+    <!-- TODO: Remove netty-bom override once gRPC ships with Netty >= 4.1.132 (CVE-2026-33871, CVE-2026-33870) -->
     <netty.version>4.1.132.Final</netty.version>
   </properties>
 

From 77fa2c38458e41cb3e95be0f3d46c17e361ac819 Mon Sep 17 00:00:00 2001
From: Javier Aliaga <javier@diagrid.io>
Date: Tue, 31 Mar 2026 12:23:13 +0200
Subject: [PATCH 3/3] fix: upgrade Spring Boot 4.0.2 to 4.0.5 to fix
 jackson-core 3.0.4 (GHSA-72hv-8253-57qq)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Spring Boot 4.0.4+ ships with jackson 3.1.0, fixing the async JSON
parser DoS vulnerability in jackson-core 3.0.4. Upgrade all 6 modules
that pin springboot4.version from 4.0.2 to 4.0.5 (latest patch).

No jackson-bom override needed — Spring Boot 4.0.5 manages it natively.

Signed-off-by: Javier Aliaga <javier@diagrid.io>
---
 dapr-spring/dapr-spring-6-data/pom.xml                        | 4 ++--
 dapr-spring/dapr-spring-boot-4-autoconfigure/pom.xml          | 4 ++--
 .../dapr-spring-boot-4-starter-test/pom.xml                   | 4 ++--
 .../dapr-spring-boot-4-starter/pom.xml                        | 4 ++--
 spring-boot-4-examples/pom.xml                                | 4 ++--
 spring-boot-4-sdk-tests/pom.xml                               | 4 ++--
 6 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/dapr-spring/dapr-spring-6-data/pom.xml b/dapr-spring/dapr-spring-6-data/pom.xml
index 5142cfdac..46411f07c 100644
--- a/dapr-spring/dapr-spring-6-data/pom.xml
+++ b/dapr-spring/dapr-spring-6-data/pom.xml
@@ -17,8 +17,8 @@
   <packaging>jar</packaging>
 
   <properties>
-    <springboot4.version>4.0.2</springboot4.version>
-    <!-- Override JUnit version to align with Spring Boot 4.0.2 -->
+    <springboot4.version>4.0.5</springboot4.version>
+    <!-- Override JUnit version to align with Spring Boot 4.x -->
     <junit-bom.version>6.0.2</junit-bom.version>
   </properties>
 
diff --git a/dapr-spring/dapr-spring-boot-4-autoconfigure/pom.xml b/dapr-spring/dapr-spring-boot-4-autoconfigure/pom.xml
index 17dabbcb7..c5b93b8f0 100644
--- a/dapr-spring/dapr-spring-boot-4-autoconfigure/pom.xml
+++ b/dapr-spring/dapr-spring-boot-4-autoconfigure/pom.xml
@@ -16,8 +16,8 @@
   <packaging>jar</packaging>
 
   <properties>
-    <springboot4.version>4.0.2</springboot4.version>
-    <!-- Override JUnit version to align with Spring Boot 4.0.2 -->
+    <springboot4.version>4.0.5</springboot4.version>
+    <!-- Override JUnit version to align with Spring Boot 4.0.x -->
     <junit-bom.version>6.0.2</junit-bom.version>
   </properties>
 
diff --git a/dapr-spring/dapr-spring-boot-starters/dapr-spring-boot-4-starter-test/pom.xml b/dapr-spring/dapr-spring-boot-starters/dapr-spring-boot-4-starter-test/pom.xml
index 52cc83fec..cec099f64 100644
--- a/dapr-spring/dapr-spring-boot-starters/dapr-spring-boot-4-starter-test/pom.xml
+++ b/dapr-spring/dapr-spring-boot-starters/dapr-spring-boot-4-starter-test/pom.xml
@@ -16,8 +16,8 @@
     <packaging>jar</packaging>
 
     <properties>
-      <springboot4.version>4.0.2</springboot4.version>
-      <!-- Override JUnit version to align with Spring Boot 4.0.2 -->
+      <springboot4.version>4.0.5</springboot4.version>
+      <!-- Override JUnit version to align with Spring Boot 4.x -->
       <junit-bom.version>6.0.2</junit-bom.version>
     </properties>
     <dependencyManagement>
diff --git a/dapr-spring/dapr-spring-boot-starters/dapr-spring-boot-4-starter/pom.xml b/dapr-spring/dapr-spring-boot-starters/dapr-spring-boot-4-starter/pom.xml
index 96c3aed53..4744517a8 100644
--- a/dapr-spring/dapr-spring-boot-starters/dapr-spring-boot-4-starter/pom.xml
+++ b/dapr-spring/dapr-spring-boot-starters/dapr-spring-boot-4-starter/pom.xml
@@ -16,8 +16,8 @@
   <packaging>jar</packaging>
 
   <properties>
-    <springboot4.version>4.0.2</springboot4.version>
-    <!-- Override JUnit version to align with Spring Boot 4.0.2 -->
+    <springboot4.version>4.0.5</springboot4.version>
+    <!-- Override JUnit version to align with Spring Boot 4.x -->
     <junit-bom.version>6.0.2</junit-bom.version>
   </properties>
 
diff --git a/spring-boot-4-examples/pom.xml b/spring-boot-4-examples/pom.xml
index 0cd744abc..ba4830ffe 100644
--- a/spring-boot-4-examples/pom.xml
+++ b/spring-boot-4-examples/pom.xml
@@ -15,8 +15,8 @@
 
   <properties>
     <maven.deploy.skip>true</maven.deploy.skip>
-    <springboot4.version>4.0.2</springboot4.version>
-    <!-- Override JUnit version to align with Spring Boot 4.0.2 -->
+    <springboot4.version>4.0.5</springboot4.version>
+    <!-- Override JUnit version to align with Spring Boot 4.x -->
     <junit-bom.version>6.0.2</junit-bom.version>
   </properties>
 
diff --git a/spring-boot-4-sdk-tests/pom.xml b/spring-boot-4-sdk-tests/pom.xml
index d6874b962..684eaf742 100644
--- a/spring-boot-4-sdk-tests/pom.xml
+++ b/spring-boot-4-sdk-tests/pom.xml
@@ -19,8 +19,8 @@
     <maven.deploy.skip>true</maven.deploy.skip>
     <protobuf.output.directory>${project.build.directory}/generated-sources</protobuf.output.directory>
     <protobuf.input.directory>${project.basedir}/proto</protobuf.input.directory>
-    <springboot4.version>4.0.2</springboot4.version>
-    <!-- Override JUnit version to align with Spring Boot 4.0.2 -->
+    <springboot4.version>4.0.5</springboot4.version>
+    <!-- Override JUnit version to align with Spring Boot 4.x -->
     <junit-bom.version>6.0.2</junit-bom.version>
     <!-- The JaCoCo plugin was expecting coverage for this module, but since it's a test module
    and code coverage typically doesn't apply to tests, the coverage is set to 0. -->