LabKey · labkey-adam · Mar 20, 2026 · Mar 22, 2026 · Mar 22, 2026 · Mar 23, 2026
diff --git a/build.gradle b/build.gradle
@@ -314,6 +314,9 @@ allprojects {
                     force "net.java.dev.jna:jna:${jnaVersion}"
                     force "net.java.dev.jna:jna-platform:${jnaVersion}"
 
+                    // Spring AI 2.0 and Duo SDK bring in different versions
+                    force "net.bytebuddy:byte-buddy:${byteBuddyVersion}"
+
                     // Reactor - transitive dependency via azure-core; force for version consistency across modules
                     force "io.projectreactor:reactor-core:${reactorCoreVersion}"
 
@@ -375,6 +378,14 @@ allprojects {
                     // Force consistency for dependencies from pipeline and query
                     force "org.dom4j:dom4j:${dom4jVersion}"
 
+                    // Force spring-ai components to bring in spring-* versions that match the rest of spring
+                    force "org.springframework:spring-context-support:${springVersion}"
+                    force "org.springframework:spring-messaging:${springVersion}"
+                    force "org.springframework:spring-webflux:${springVersion}"
+
+                    // Force spring-ai components to bring in the AssertJ version we want
+                    force "org.assertj:assertj-core:${assertjVersion}"
+
                     // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies
                     force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
 
@@ -390,6 +401,9 @@ allprojects {
                     // Force latest hadoop-hdfs-client for CVE-2021-37404, CVE-2022-25168, CVE-2022-26612, CVE-2021-25642, CVE-2021-33036, CVE-2023-26031
                     force "org.apache.hadoop:hadoop-hdfs-client:${hadoopHdfsClientVersion}"
 
+                    // Spring AI 2.0 brings in Jackson3. Force it to match embedded and mitigate CVEs.
+                    force "tools.jackson.core:jackson-core:${jackson3Version}"
+
                     dependencySubstitution {
                         // Because the client api artifact name is not the same as the directory structure, we use
                         // Gradle's dependency substitution so the dependency will appear correctly in the pom files that

diff --git a/gradle.properties b/gradle.properties
@@ -107,6 +107,9 @@ apacheTomcatVersion=11.0.18
 # tika
 asmVersion=9.9.1
 
+# Also defined in testAutomation/gradle.properties
+assertjVersion=3.27.7
+
 # Microsoft library for sending OAuth2-authenticated notification emails via the Microsoft Graph API
 azureIdentityVersion=1.18.2
 
@@ -117,6 +120,8 @@ batikVersion=1.19
 bouncycastlePgpVersion=1.83
 bouncycastleVersion=1.83
 
+byteBuddyVersion=1.18.7
+
 cglibNodepVersion=2.2.3
 
 checkerQualVersion=3.53.0
@@ -305,10 +310,10 @@ slf4jLog4jApiVersion=2.0.17
 snappyJavaVersion=1.1.10.8
 
 # Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version
-springBootVersion=4.0.3
+springBootVersion=4.0.4
 # This usually matches the Spring Framework version dictated by springBootVersion
-springVersion=7.0.5
-springAiVersion=2.0.0-M2
+springVersion=7.0.6
+springAiVersion=2.0.0-M3
 
 sqliteJdbcVersion=3.51.2.0