fix(deps): clear all 12 known CVEs from the 2026-04-17 baseline (#50)

Bumps every dependency flagged by the OSV-Scanner + Dependabot pass to
its fixed version. Re-running OSV after this commit: 0 findings.

Maven (all transitive, overridden via pom properties and
dependencyManagement — nothing to change in our direct dep list):

  tomcat-embed-core       11.0.20 -> 11.0.21   (tomcat.version property)
    CVE-2026-34483 HIGH: JsonAccessLogValve improper encoding
    CVE-2026-34487 HIGH: sensitive info insertion into log file
    CVE-2026-34500 MOD : CLIENT_CERT auth does not fail as expected

  tools.jackson.core:*    3.1.0   -> 3.1.1     (explicit management entries)
    GHSA-2m67-wjpj-xhg9 HIGH: document length bypass in blocking/async/
                              DataInput parsers

  log4j-core              2.25.3  -> 2.25.4    (explicit management entry)
    CVE-2026-34477 MOD : verifyHostName silently ignored in TLS config
    CVE-2026-34478 MOD : log injection in Rfc5424Layout
    CVE-2026-34480 MOD : silent log-event loss in XmlLayout

  log4j-layout-template-json  2.25.3 -> 2.25.4
    CVE-2026-34481 MOD : improper serialization of non-finite floats

  shiro-core              2.0.6   -> 2.1.0
    CVE-2026-23901 LOW : observable timing discrepancy
    (pulled in by neo4j-security)

  mcp-core                1.1.0   -> 1.1.1
    CVE-2026-34237 MOD : hardcoded wildcard CORS on MCP endpoints.
    Load-bearing for us — our read-only MCP API should not accept
    cross-origin requests from arbitrary origins.

npm (direct dev dependency):

  vite                    6.4.1   -> 6.4.2     (src/main/frontend/)
    CVE-2026-39363 HIGH: arbitrary file read via dev server WebSocket
    CVE-2026-39365 MOD : path traversal in optimized deps .map handling
    Dev-only (build tool) — blast radius is the developer machine.

Note on Jackson: Spring Boot 4.0.5's `<jackson.version>` property pins
only the new-API artifacts (tools.jackson.core:*) — Spring Boot does
not propagate it to them, so the property override by itself is a
no-op. Explicit <dependencyManagement> entries for jackson-core /
-databind / -annotations are required until the Boot BOM catches up.

Revert hints are captured in the pom's comment blocks so when Spring
Boot 4.0.6+ / the Spring-AI BOM / Neo4j 2026.02.4 ship with these
versions naturally, these overrides can go away.

Verified:
  mvn test       -> 3,059 tests, 0 failures, 0 errors
  osv-scanner     -> 0 findings (was 12: 4 HIGH / 7 MOD / 1 LOW)
  dependency:tree -> all 6 Maven and 1 npm versions match fix targets

Author: aksOps

pom.xml

@@ -29,6 +29,21 @@
         <spotbugs.version>4.9.8.3</spotbugs.version>
         <owasp.dependency-check.version>12.2.0</owasp.dependency-check.version>
         <checkstyle-plugin.version>3.6.0</checkstyle-plugin.version>
+
+        <!--
+          Security override: Spring Boot 4.0.5 pulls tomcat-embed-core 11.0.20
+          and jackson (tools.jackson.core) 3.1.0; both have CVEs fixed in the
+          next patch release. Bumping these via the Spring-Boot-managed
+          properties so all starter-managed artifacts pick up the fix
+          without a full Spring Boot version change. Revert these when
+          Spring Boot 4.0.6+ ships with the same or newer versions.
+            tomcat 11.0.20 -> 11.0.21  (CVE-2026-34483 HIGH,
+                                        CVE-2026-34487 HIGH,
+                                        CVE-2026-34500 MODERATE)
+            jackson 3.1.0  -> 3.1.1    (GHSA-2m67-wjpj-xhg9 HIGH)
+        -->
+        <tomcat.version>11.0.21</tomcat.version>
+        <jackson.version>3.1.1</jackson.version>
     </properties>
 
     <dependencyManagement>
@@ -40,6 +55,67 @@
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
+
+            <!--
+              Security overrides for transitive CVE-affected dependencies that
+              Spring Boot's managed-versions machinery does not cover:
+                log4j-core 2.25.3 -> 2.25.4          (CVE-2026-34477 MOD,
+                                                      CVE-2026-34478 MOD,
+                                                      CVE-2026-34480 MOD)
+                log4j-layout-template-json 2.25.3 -> 2.25.4  (CVE-2026-34481 MOD)
+                  •both pulled in transitively by Neo4j 2026.02.3.
+                shiro-core 2.0.6 -> 2.1.0            (CVE-2026-23901 LOW)
+                  •pulled in by neo4j-security.
+                mcp-core 1.1.0 -> 1.1.1              (CVE-2026-34237 MOD)
+                  •hardcoded wildcard CORS; pulled in by Spring AI MCP
+                  starter. Directly load-bearing for our read-only MCP
+                  endpoints: fix is non-optional.
+              Revert overrides once the upstream BOMs ship matching versions.
+            -->
+            <dependency>
+                <groupId>org.apache.logging.log4j</groupId>
+                <artifactId>log4j-core</artifactId>
+                <version>2.25.4</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.logging.log4j</groupId>
+                <artifactId>log4j-layout-template-json</artifactId>
+                <version>2.25.4</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.shiro</groupId>
+                <artifactId>shiro-core</artifactId>
+                <version>2.1.0</version>
+            </dependency>
+            <dependency>
+                <groupId>io.modelcontextprotocol.sdk</groupId>
+                <artifactId>mcp-core</artifactId>
+                <version>1.1.1</version>
+            </dependency>
+
+            <!--
+              Explicit override for Jackson 3.x (tools.jackson.core). Spring
+              Boot 4.0.5's managed-versions machinery pins these to 3.1.0 via
+              its own BOM and the `<jackson.version>` property does not
+              propagate to the new-API artifacts. Pin to 3.1.1 until Spring
+              Boot 4.0.6+ ships with the fix (GHSA-2m67-wjpj-xhg9 HIGH,
+              document length bypass in blocking/async/DataInput parsers).
+            -->
+            <dependency>
+                <groupId>tools.jackson.core</groupId>
+                <artifactId>jackson-core</artifactId>
+                <version>3.1.1</version>
+            </dependency>
+            <dependency>
+                <groupId>tools.jackson.core</groupId>
+                <artifactId>jackson-databind</artifactId>
+                <version>3.1.1</version>
+            </dependency>
+            <dependency>
+                <groupId>tools.jackson.core</groupId>
+                <artifactId>jackson-annotations</artifactId>
+                <version>3.1.1</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 

src/main/frontend/package-lock.json

@@ -12,8 +12,8 @@
     "test:e2e:report": "playwright show-report"
   },
   "dependencies": {
-    "antd": "^5.24.7",
     "@ant-design/icons": "^5.6.1",
+    "antd": "^5.24.7",
     "echarts": "^5.6.0",
     "echarts-for-react": "^3.0.2",
     "react": "^18.3.1",
@@ -32,6 +32,6 @@
     "@types/react-dom": "^18.3.5",
     "@vitejs/plugin-react": "^4.3.4",
     "typescript": "~5.7.3",
-    "vite": "^6.1.0"
+    "vite": "^6.4.2"
   }
 }