Update security dependencies: 18/22 PRs resolved

[Copilot]

Resolves 18 of 22 Dependabot security PRs. Four dependencies intentionally not upgraded: Apache Shiro (3 PRs) and Guice Servlet require jakarta.servlet migration; Restlet repository unavailable.

Updated Dependencies

Build plugins

• versions-maven-plugin: 2.19.1 → 2.20.1
• dependency-check-maven: 12.1.8 → 12.1.9
• maven-surefire-plugin: 3.5.3 → 3.5.4
• maven-jar-plugin: 3.4.2 → 3.5.0
• maven-javadoc-plugin: 3.11.2 → 3.12.0

Runtime dependencies

• Selenium suite: → 4.38.0 (java, chrome-driver, ie-driver)
• Jetty: 12.1.3 → 12.1.4
• MySQL Connector: 8.4.0 → 9.5.0
• Jackson core: 2.19.2 → 2.20.1
• Commons-IO: 2.20.0 → 2.21.0
• Commons-Lang3: 3.19.0 → 3.20.0
• Eclipse Persistence Moxy: 4.0.7 → 4.0.8
• Spotless: 4.0.0 → 4.1.0
• Jython: 2.7.3 → 2.7.4

Not Updated

javax.servlet → jakarta.servlet blockers (PRs #76, #75, #64, #62)

• Apache Shiro: kept at 1.13.0 (2.0.6 requires jakarta.servlet)
• Guice Servlet: kept at 4.2.3 (7.0.0 requires jakarta.servlet)
• Note: Core Guice at 7.0.0 compatible with servlet 4.2.3

Infrastructure (PR #74)

• Restlet: kept at 2.4.3 (maven.restlet.talend.com unreachable)

All changes maintain compatibility with existing javax.servlet codebase per BUILD_FIXES_SUMMARY.md.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• maven.restlet.talend.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.11/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.11/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.11 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.11/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/cogflu/cogflu org.codehaus.plexus.classworlds.launcher.Launcher clean compile -DskipTests -T 1C (dns block)
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.11/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.11/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.11 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.11/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/cogflu/cogflu org.codehaus.plexus.classworlds.launcher.Launcher clean compile -DskipTests -rf :aperture-server-core (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

resolve all PRs:

security(deps): bump org.codehaus.mojo:versions-maven-plugin from 2.19.1 to 2.20.1 in /spotless-maven-plugin
#84 opened 2 days ago by dependabot bot
1

security(deps): bump com.diffplug.spotless:spotless-lib-extra from 4.0.0 to 4.1.0 in /spotless-maven-plugin
#82 opened last week by dependabot bot
1

security(deps): bump com.diffplug.spotless:spotless-lib from 4.0.0 to 4.1.0 in /spotless-maven-plugin
#81 opened last week by dependabot bot
1

security(deps): bump org.python:jython-standalone from 2.7.3 to 2.7.4
#80 opened last week by dependabot bot
1

security(deps): bump org.apache.maven.plugins:maven-surefire-plugin from 3.5.3 to 3.5.4
#79 opened last week by dependabot bot
1

security(deps): bump org.seleniumhq.selenium:selenium-chrome-driver from 4.37.0 to 4.38.0
#78 opened last week by dependabot bot
1

security(deps): bump org.seleniumhq.selenium:selenium-ie-driver from 4.34.0 to 4.38.0
#77 opened last week by dependabot bot
1

security(deps): bump org.apache.shiro:shiro-core from 1.13.0 to 2.0.6
#76 opened last week by dependabot bot
1

security(deps): bump org.apache.shiro:shiro-web from 1.13.0 to 2.0.6
#75 opened last week by dependabot bot
1

security(deps): bump org.restlet.jee:org.restlet.ext.servlet from 2.4.3 to 2.4.4
#74 opened last week by dependabot bot
1

security(deps): bump org.apache.maven.plugins:maven-jar-plugin from 3.4.2 to 3.5.0
#73 opened last week by dependabot bot
1

security(deps): bump org.eclipse.jetty:jetty-server from 12.1.3 to 12.1.4
#72 opened last week by dependabot bot
1

security(deps): bump com.mysql:mysql-connector-j from 8.4.0 to 9.5.0
#71 opened last week by dependabot bot
1

security(deps): bump com.fasterxml.jackson.core:jackson-core from 2.19.2 to 2.20.1
#70 opened last week by dependabot bot
1

security(deps): bump org.owasp:dependency-check-maven from 12.1.8 to 12.1.9
#69 opened last week by dependabot bot
1

security(deps): bump org.seleniumhq.selenium:selenium-java from 4.37.0 to 4.38.0
#68 opened last week by dependabot bot
1

security(deps): bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0
#67 opened last week by dependabot bot
1

security(deps): bump commons-io:commons-io from 2.20.0 to 2.21.0
#66 opened last week by dependabot bot
1

security(deps): bump org.eclipse.persistence:org.eclipse.persistence.moxy from 4.0.7 to 4.0.8
#65 opened last week by dependabot bot
1

security(deps): bump org.apache.shiro:shiro-guice from 1.13.0 to 2.0.6
#64 opened last week by dependabot bot
1

security(deps): bump org.apache.maven.plugins:maven-javadoc-plugin from 3.11.2 to 3.12.0
#63 opened last week by dependabot bot
1

security(deps): bump com.google.inject.extensions:guice-servlet from 4.2.3 to 7.0.0
#62 opened last week by dependabot bot
1

Custom agent used: cogflu
Universal Kernel Generator via Elementary Differentials and B-Series Expansion

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

---

Note

Bumps key runtime deps (Jetty, Selenium, MySQL, Jackson, Commons IO/Lang, MOXy, Jython) and build plugins (OWASP, Surefire, JAR, Javadoc, Versions, Shade, Spotless) project-wide; aligns guice-servlet to 4.2.3.

• Runtime dependencies:
  • Jetty jetty-server: 12.1.3 → 12.1.4 in dev profiles (aperture-client, bitcoin, influent-app, kiva, walker).
  • Selenium suite: unify to 4.38.0 (selenium-java, -chrome-driver, -ie-driver, -firefox-driver).
  • MySQL Connector/J: 8.4.0 → 9.5.0 (influent-app, walker).
  • Jackson core: 2.19.2 → 2.20.1 (parent DM).
  • Commons IO: 2.20.0 → 2.21.0; Commons Lang3: 3.19.0 → 3.20.0 (influent-server).
  • EclipseLink MOXy: 4.0.7 → 4.0.8 (influent-server).
  • Jython: 2.7.3 → 2.7.4 (opencog-integration).
  • Align guice-servlet to 4.2.3 in parent dependencyManagement.
• Build/Tooling:
  • OWASP Dependency-Check: 12.1.8 → 12.1.9 (root, plugin module).
  • Maven Surefire: 3.5.3 → 3.5.4 (root, influent-server).
  • Maven JAR: 3.4.2 → 3.5.0; Maven Javadoc: 3.11.2 → 3.12.0 (root).
  • Versions Maven Plugin: 2.19.1 → 2.20.1 (root, plugin module).
  • Spotless libs: 4.0.0 → 4.1.0 (plugin module); Spotless Maven Plugin: 2.46.1 → 3.0.0 (selenium test reduced POM).
  • Maven Shade Plugin: 3.6.0 → 3.6.1 (influent-selenium-test).

^{Written by Cursor Bugbot for commit 90d1949. This will update automatically on new commits. Configure here.}

[danregima]

cooool