From 9499d6451d5fbb4759eda3682cc6cfce6aa4e28c Mon Sep 17 00:00:00 2001
From: Susan Hert <susanh@labkey.com>
Date: Mon, 13 Apr 2026 06:20:33 -0700
Subject: [PATCH 1/2] Update tomcat and springboot versions and don't register
 purge tasks without atrifactory properties (#1332)

---
 build.gradle      | 25 ++++++++++++++-----------
 gradle.properties |  4 ++--
 2 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/build.gradle b/build.gradle
index 6d09333974..98610dee68 100644
--- a/build.gradle
+++ b/build.gradle
@@ -563,16 +563,19 @@ project.tasks.register('ijConfigure') {
         task.dependsOn(project.tasks.ijRunConfigurationsSetup)
 }
 
-project.tasks.register('purgeNpmAlphaVersions', PurgeNpmAlphaVersions) {
-    group = GroupNames.NPM_RUN
-    description = "Given an alpha version prefix for npm packages via the property -P${PurgeNpmAlphaVersions.ALPHA_PREFIX_PROPERTY}=yourPrefix, " +
-            "removes all packages with versions that match that prefix from Artifactory (e.g., @labkey/components-1.2.3-yourPrefix.0 and @labkey/premium-0.3.4-yourPrefix.1). " +
-            " Use -PdryRun to see what versions would be deleted without actually doing the deletion."
-}
+if (project.hasProperty('artifactory_contextUrl') && project.hasProperty('artifactory_user') && project.hasProperty('artifactory_password'))
+{
+    project.tasks.register('purgeNpmAlphaVersions', PurgeNpmAlphaVersions) {
+        group = GroupNames.NPM_RUN
+        description = "Given an alpha version prefix for npm packages via the property -P${PurgeNpmAlphaVersions.ALPHA_PREFIX_PROPERTY}=yourPrefix, " +
+                "removes all packages with versions that match that prefix from Artifactory (e.g., @labkey/components-1.2.3-yourPrefix.0 and @labkey/premium-0.3.4-yourPrefix.1). " +
+                " Use -PdryRun to see what versions would be deleted without actually doing the deletion."
+    }
 
-project.tasks.register('purgeNpmVersions', PurgeNpmVersions) {
-    group = GroupNames.NPM_RUN
-    description = "Given a package name via -P${PurgeNpmVersions.PACKAGE_NAME_PROP}=name (without the @labkey prefix) and a version list via -P${PurgeNpmVersions.VERSION_LIST_PROP}=fileName for npm package, " +
-            "removes the versions specified from Artifactory. " +
-            " Use -PdryRun to see what versions would be deleted without actually doing the deletion."
+    project.tasks.register('purgeNpmVersions', PurgeNpmVersions) {
+        group = GroupNames.NPM_RUN
+        description = "Given a package name via -P${PurgeNpmVersions.PACKAGE_NAME_PROP}=name (without the @labkey prefix) and a version list via -P${PurgeNpmVersions.VERSION_LIST_PROP}=fileName for npm package, " +
+                "removes the versions specified from Artifactory. " +
+                " Use -PdryRun to see what versions would be deleted without actually doing the deletion."
+    }
 }
diff --git a/gradle.properties b/gradle.properties
index 53e73973e7..d17e693829 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -100,7 +100,7 @@ apacheDirectoryVersion=2.1.7
 apacheMinaVersion=2.2.5
 
 # Usually matches the version specified as a Spring Boot dependency (see springBootVersion below)
-apacheTomcatVersion=11.0.18
+apacheTomcatVersion=11.0.20
 
 # (mothership) -> json-path -> json-smart -> accessor-smart
 # (core) -> graalvm
@@ -294,7 +294,7 @@ slf4jLog4jApiVersion=2.0.17
 snappyJavaVersion=1.1.10.8
 
 # Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version
-springBootVersion=4.0.4
+springBootVersion=4.0.5
 # This usually matches the Spring Framework version dictated by springBootVersion
 springVersion=7.0.6
 springAiVersion=2.0.0-M4

From 5213677361a0ee1e8140c24d308445f3d11f7838 Mon Sep 17 00:00:00 2001
From: Susan Hert <susanh@labkey.com>
Date: Mon, 13 Apr 2026 13:41:32 -0700
Subject: [PATCH 2/2] Update tomcat, log4j2, and grpc versions to address CVEs
 (#1334)

---
 build.gradle      | 3 ++-
 gradle.properties | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/build.gradle b/build.gradle
index 98610dee68..4bb7c7a57e 100644
--- a/build.gradle
+++ b/build.gradle
@@ -34,7 +34,8 @@ allprojects {
             if (project.hasProperty('ossIndexUsername') && project.hasProperty('ossIndexPassword'))
             {
                 analyzers.ossIndex.username = project.property('ossIndexUsername')
-                analyzers.ossIndex.password = project.property('ossIndexPassword');
+                analyzers.ossIndex.password = project.property('ossIndexPassword')
+                analyzers.ossIndex.url = "https://api.guide.sonatype.com"
             }
             else
             {
diff --git a/gradle.properties b/gradle.properties
index d17e693829..fbc8e3d822 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -100,7 +100,7 @@ apacheDirectoryVersion=2.1.7
 apacheMinaVersion=2.2.5
 
 # Usually matches the version specified as a Spring Boot dependency (see springBootVersion below)
-apacheTomcatVersion=11.0.20
+apacheTomcatVersion=11.0.21
 
 # (mothership) -> json-path -> json-smart -> accessor-smart
 # (core) -> graalvm
@@ -169,7 +169,7 @@ googleProtocolBufVersion=3.25.8
 # "java.lang.NoSuchMethodError: 'void com.google.gson.internal.ConstructorConstructor.<init>(java.util.Map)'" errors
 gsonVersion=2.8.9
 
-grpcVersion=1.78.0
+grpcVersion=1.80.0
 
 guavaVersion=33.5.0-jre
 
@@ -246,7 +246,7 @@ jxlVersion=2.6.3
 
 kaptchaVersion=2.3
 
-log4j2Version=2.25.3
+log4j2Version=2.25.4
 
 lombokVersion=1.18.42