From f1bd36691dbdac8894acc977aeb7a439627d1282 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Fri, 20 Mar 2026 12:34:41 -0700 Subject: [PATCH 1/5] Update Spring AI to 2.0.0-M3 --- gradle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index 2b26e3b577..cd38938de3 100644 --- a/gradle.properties +++ b/gradle.properties @@ -308,7 +308,7 @@ snappyJavaVersion=1.1.10.8 springBootVersion=4.0.3 # This usually matches the Spring Framework version dictated by springBootVersion springVersion=7.0.5 -springAiVersion=2.0.0-M2 +springAiVersion=2.0.0-M3 sqliteJdbcVersion=3.51.2.0 From 177a5842a5777c2d3951c12f84108db8823e4f86 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Sun, 22 Mar 2026 13:39:38 -0700 Subject: [PATCH 2/5] Force ByteBuddy version to avoid conflict --- build.gradle | 3 +++ gradle.properties | 2 ++ 2 files changed, 5 insertions(+) diff --git a/build.gradle b/build.gradle index d7d6ec57d5..8196d2c164 100644 --- a/build.gradle +++ b/build.gradle @@ -314,6 +314,9 @@ allprojects { force "net.java.dev.jna:jna:${jnaVersion}" force "net.java.dev.jna:jna-platform:${jnaVersion}" + // Spring AI 2.0 and Duo SDK bring in different versions + force "net.bytebuddy:byte-buddy:${byteBuddyVersion}" + // Reactor - transitive dependency via azure-core; force for version consistency across modules force "io.projectreactor:reactor-core:${reactorCoreVersion}" diff --git a/gradle.properties b/gradle.properties index cd38938de3..d2bfba6ea5 100644 --- a/gradle.properties +++ b/gradle.properties @@ -117,6 +117,8 @@ batikVersion=1.19 bouncycastlePgpVersion=1.83 bouncycastleVersion=1.83 +byteBuddyVersion=1.18.7 + cglibNodepVersion=2.2.3 checkerQualVersion=3.53.0 From 80cc90910a7c16abfae04eab775605efcdcfc1cf Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Sun, 22 Mar 2026 14:59:13 -0700 Subject: [PATCH 3/5] Force Jackson3 and upgrade Spring versions because conflicts and CVEs --- build.gradle | 3 +++ gradle.properties | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index 8196d2c164..cb735be450 100644 --- a/build.gradle +++ b/build.gradle @@ -393,6 +393,9 @@ allprojects { // Force latest hadoop-hdfs-client for CVE-2021-37404, CVE-2022-25168, CVE-2022-26612, CVE-2021-25642, CVE-2021-33036, CVE-2023-26031 force "org.apache.hadoop:hadoop-hdfs-client:${hadoopHdfsClientVersion}" + // Spring AI 2.0 brings in Jackson3. Force it to match embedded and mitigate CVEs. + force "tools.jackson.core:jackson-core:${jackson3Version}" + dependencySubstitution { // Because the client api artifact name is not the same as the directory structure, we use // Gradle's dependency substitution so the dependency will appear correctly in the pom files that diff --git a/gradle.properties b/gradle.properties index d2bfba6ea5..652a15fa85 100644 --- a/gradle.properties +++ b/gradle.properties @@ -307,9 +307,9 @@ slf4jLog4jApiVersion=2.0.17 snappyJavaVersion=1.1.10.8 # Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version -springBootVersion=4.0.3 +springBootVersion=4.0.4 # This usually matches the Spring Framework version dictated by springBootVersion -springVersion=7.0.5 +springVersion=7.0.6 springAiVersion=2.0.0-M3 sqliteJdbcVersion=3.51.2.0 From e5252c75a63db2383ea95e1757503f97511240c9 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Mon, 23 Mar 2026 07:54:30 -0700 Subject: [PATCH 4/5] Force more spring dependencies to use our official version --- build.gradle | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/build.gradle b/build.gradle index cb735be450..5915b505d3 100644 --- a/build.gradle +++ b/build.gradle @@ -378,6 +378,11 @@ allprojects { // Force consistency for dependencies from pipeline and query force "org.dom4j:dom4j:${dom4jVersion}" + // Force spring-ai components to bring in spring-* versions that match the rest of spring + force "org.springframework:spring-context-support:${springVersion}" + force "org.springframework:spring-messaging:${springVersion}" + force "org.springframework:spring-webflux:${springVersion}" + // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}" From 5507883c6c417b6f69ba9e5368b3b2c02bb126b5 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Mon, 23 Mar 2026 08:26:06 -0700 Subject: [PATCH 5/5] Force assertj version --- build.gradle | 3 +++ gradle.properties | 3 +++ 2 files changed, 6 insertions(+) diff --git a/build.gradle b/build.gradle index 5915b505d3..9d484c8e9b 100644 --- a/build.gradle +++ b/build.gradle @@ -383,6 +383,9 @@ allprojects { force "org.springframework:spring-messaging:${springVersion}" force "org.springframework:spring-webflux:${springVersion}" + // Force spring-ai components to bring in the AssertJ version we want + force "org.assertj:assertj-core:${assertjVersion}" + // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}" diff --git a/gradle.properties b/gradle.properties index 652a15fa85..2808adc087 100644 --- a/gradle.properties +++ b/gradle.properties @@ -107,6 +107,9 @@ apacheTomcatVersion=11.0.18 # tika asmVersion=9.9.1 +# Also defined in testAutomation/gradle.properties +assertjVersion=3.27.7 + # Microsoft library for sending OAuth2-authenticated notification emails via the Microsoft Graph API azureIdentityVersion=1.18.2