From 76e8909b4291ceb9fa1174f47ea3f21837caa80b Mon Sep 17 00:00:00 2001
From: David Whitlock <david.m.whitlock@gmail.com>
Date: Thu, 1 Jan 2026 12:30:27 -0800
Subject: [PATCH 1/3] Update some libraries to remove CVEs.

---
 examples/pom.xml |  4 ++--
 grader/pom.xml   | 21 ++++++++++++++++++---
 pom.xml          |  8 ++++----
 web/pom.xml      |  6 +++---
 4 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/examples/pom.xml b/examples/pom.xml
index 0de7c4b55..aaa03b532 100644
--- a/examples/pom.xml
+++ b/examples/pom.xml
@@ -29,12 +29,12 @@
     <dependency>
       <groupId>jakarta.xml.bind</groupId>
       <artifactId>jakarta.xml.bind-api</artifactId>
-      <version>4.0.2</version>
+      <version>4.0.4</version>
     </dependency>
     <dependency>
       <groupId>com.sun.xml.bind</groupId>
       <artifactId>jaxb-impl</artifactId>
-      <version>4.0.5</version>
+      <version>4.0.6</version>
       <scope>runtime</scope>
     </dependency>
     <dependency>
diff --git a/grader/pom.xml b/grader/pom.xml
index f3b42add6..1eae514b1 100644
--- a/grader/pom.xml
+++ b/grader/pom.xml
@@ -10,6 +10,21 @@
   <version>${grader.version}</version>
   <packaging>jar</packaging>
   <url>https://www.cs.pdx.edu/~whitlock</url>
+  <dependencyManagement>
+    <dependencies>
+      <!-- Override transitive dependencies with CVE fixes -->
+      <dependency>
+        <groupId>commons-beanutils</groupId>
+        <artifactId>commons-beanutils</artifactId>
+        <version>1.11.0</version>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.commons</groupId>
+        <artifactId>commons-lang3</artifactId>
+        <version>3.18.0</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
   <dependencies>
     <dependency>
       <groupId>com.sun.mail</groupId>
@@ -24,12 +39,12 @@
     <dependency>
       <groupId>com.opencsv</groupId>
       <artifactId>opencsv</artifactId>
-      <version>5.9</version>
+      <version>5.10</version>
     </dependency>
     <dependency>
       <groupId>ch.qos.logback</groupId>
       <artifactId>logback-classic</artifactId>
-      <version>1.5.19</version>
+      <version>1.5.21</version>
     </dependency>
     <dependency>
       <groupId>com.google.inject</groupId>
@@ -39,7 +54,7 @@
     <dependency>
       <groupId>com.icegreen</groupId>
       <artifactId>greenmail</artifactId>
-      <version>2.0.1</version>
+      <version>2.1.2</version>
       <scope>test</scope>
     </dependency>
   </dependencies>
diff --git a/pom.xml b/pom.xml
index edf37f061..aa22459cc 100644
--- a/pom.xml
+++ b/pom.xml
@@ -59,19 +59,19 @@
 
         <guava.version>33.5.0-jre</guava.version>
         <guice.version>7.0.0</guice.version>
-        <h2.version>2.2.224</h2.version>
+        <h2.version>2.4.240</h2.version>
         <jakarta.servlet-api.version>6.1.0</jakarta.servlet-api.version>
 
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-        <pmd.version>7.18.0</pmd.version>
+        <pmd.version>7.20.0</pmd.version>
 
         <wagon-git.version>2.0.4</wagon-git.version> <!-- Do not upgrade to 2.0.4 as it doesn't work -->
         <wagon-ssh.version>3.5.3</wagon-ssh.version>
 
         <junit.version>5.12.2</junit.version>
         <hamcrest.version>3.0</hamcrest.version>
-        <mockito.version>5.20.0</mockito.version>
+        <mockito.version>5.21.0</mockito.version>
         <surefire.version>3.5.4</surefire.version>
       <maven-jar-plugin.version>3.4.2</maven-jar-plugin.version>
       <build-helper-maven-plugin.version>3.6.1</build-helper-maven-plugin.version>
@@ -84,7 +84,7 @@
       <maven-project-info-reports-plugin.version>3.9.0</maven-project-info-reports-plugin.version>
       <maven-surefire-report-plugin.version>3.5.4</maven-surefire-report-plugin.version>
       <maven-checkstyle-plugin.version>3.6.0</maven-checkstyle-plugin.version>
-      <checkstyle.version>12.1.2</checkstyle.version>
+      <checkstyle.version>12.3.1</checkstyle.version>
       <maven-archetype-plugin.version>3.4.0</maven-archetype-plugin.version>
       <maven-javadoc-plugin.version>3.12.0</maven-javadoc-plugin.version>
       <maven-pmd-plugin.version>3.28.0</maven-pmd-plugin.version>
diff --git a/web/pom.xml b/web/pom.xml
index 1675b212f..b6c8715ba 100644
--- a/web/pom.xml
+++ b/web/pom.xml
@@ -12,7 +12,7 @@
   <version>2.0.4-SNAPSHOT</version>
   <url>http://www.cs.pdx.edu/~whitlock</url>
   <properties>
-    <resteasy.version>6.2.11.Final</resteasy.version>
+    <resteasy.version>6.2.12.Final</resteasy.version>
     <jetty.http.port>8080</jetty.http.port>
   </properties>
   <build>
@@ -112,7 +112,7 @@
     <dependency>
       <groupId>commons-io</groupId>
       <artifactId>commons-io</artifactId>
-      <version>2.18.0</version>
+      <version>2.21.0</version>
     </dependency>
     <dependency>
       <groupId>io.github.davidwhitlock.joy</groupId>
@@ -127,7 +127,7 @@
     <dependency>
       <groupId>jakarta.xml.bind</groupId>
       <artifactId>jakarta.xml.bind-api</artifactId>
-      <version>4.0.2</version>
+      <version>4.0.4</version>
     </dependency>
     <dependency>
       <groupId>org.jboss.resteasy</groupId>

From b234e9be9190560ed1eb49e6b039b56ca75a4b87 Mon Sep 17 00:00:00 2001
From: David Whitlock <david.m.whitlock@gmail.com>
Date: Thu, 1 Jan 2026 12:43:15 -0800
Subject: [PATCH 2/3] Use the old version of greenmail.

---
 grader/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/grader/pom.xml b/grader/pom.xml
index 1eae514b1..f2078a803 100644
--- a/grader/pom.xml
+++ b/grader/pom.xml
@@ -54,7 +54,7 @@
     <dependency>
       <groupId>com.icegreen</groupId>
       <artifactId>greenmail</artifactId>
-      <version>2.1.2</version>
+      <version>2.0.1</version>
       <scope>test</scope>
     </dependency>
   </dependencies>

From f9f2d9c911f64d3228fdc00f4fe3a2438fc5628d Mon Sep 17 00:00:00 2001
From: David Whitlock <david.m.whitlock@gmail.com>
Date: Thu, 1 Jan 2026 12:47:53 -0800
Subject: [PATCH 3/3] A couple more dependency updates.

---
 grader/pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/grader/pom.xml b/grader/pom.xml
index f2078a803..12420c0c8 100644
--- a/grader/pom.xml
+++ b/grader/pom.xml
@@ -39,12 +39,12 @@
     <dependency>
       <groupId>com.opencsv</groupId>
       <artifactId>opencsv</artifactId>
-      <version>5.10</version>
+      <version>5.12.0</version>
     </dependency>
     <dependency>
       <groupId>ch.qos.logback</groupId>
       <artifactId>logback-classic</artifactId>
-      <version>1.5.21</version>
+      <version>1.5.23</version>
     </dependency>
     <dependency>
       <groupId>com.google.inject</groupId>