From f1bd36691dbdac8894acc977aeb7a439627d1282 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Fri, 20 Mar 2026 12:34:41 -0700 Subject: [PATCH 1/8] Update Spring AI to 2.0.0-M3 --- gradle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index 2b26e3b577..cd38938de3 100644 --- a/gradle.properties +++ b/gradle.properties @@ -308,7 +308,7 @@ snappyJavaVersion=1.1.10.8 springBootVersion=4.0.3 # This usually matches the Spring Framework version dictated by springBootVersion springVersion=7.0.5 -springAiVersion=2.0.0-M2 +springAiVersion=2.0.0-M3 sqliteJdbcVersion=3.51.2.0 From 177a5842a5777c2d3951c12f84108db8823e4f86 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Sun, 22 Mar 2026 13:39:38 -0700 Subject: [PATCH 2/8] Force ByteBuddy version to avoid conflict --- build.gradle | 3 +++ gradle.properties | 2 ++ 2 files changed, 5 insertions(+) diff --git a/build.gradle b/build.gradle index d7d6ec57d5..8196d2c164 100644 --- a/build.gradle +++ b/build.gradle @@ -314,6 +314,9 @@ allprojects { force "net.java.dev.jna:jna:${jnaVersion}" force "net.java.dev.jna:jna-platform:${jnaVersion}" + // Spring AI 2.0 and Duo SDK bring in different versions + force "net.bytebuddy:byte-buddy:${byteBuddyVersion}" + // Reactor - transitive dependency via azure-core; force for version consistency across modules force "io.projectreactor:reactor-core:${reactorCoreVersion}" diff --git a/gradle.properties b/gradle.properties index cd38938de3..d2bfba6ea5 100644 --- a/gradle.properties +++ b/gradle.properties @@ -117,6 +117,8 @@ batikVersion=1.19 bouncycastlePgpVersion=1.83 bouncycastleVersion=1.83 +byteBuddyVersion=1.18.7 + cglibNodepVersion=2.2.3 checkerQualVersion=3.53.0 From 80cc90910a7c16abfae04eab775605efcdcfc1cf Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Sun, 22 Mar 2026 14:59:13 -0700 Subject: [PATCH 3/8] Force Jackson3 and upgrade Spring versions because conflicts and CVEs --- build.gradle | 3 +++ gradle.properties | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index 8196d2c164..cb735be450 100644 --- a/build.gradle +++ b/build.gradle @@ -393,6 +393,9 @@ allprojects { // Force latest hadoop-hdfs-client for CVE-2021-37404, CVE-2022-25168, CVE-2022-26612, CVE-2021-25642, CVE-2021-33036, CVE-2023-26031 force "org.apache.hadoop:hadoop-hdfs-client:${hadoopHdfsClientVersion}" + // Spring AI 2.0 brings in Jackson3. Force it to match embedded and mitigate CVEs. + force "tools.jackson.core:jackson-core:${jackson3Version}" + dependencySubstitution { // Because the client api artifact name is not the same as the directory structure, we use // Gradle's dependency substitution so the dependency will appear correctly in the pom files that diff --git a/gradle.properties b/gradle.properties index d2bfba6ea5..652a15fa85 100644 --- a/gradle.properties +++ b/gradle.properties @@ -307,9 +307,9 @@ slf4jLog4jApiVersion=2.0.17 snappyJavaVersion=1.1.10.8 # Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version -springBootVersion=4.0.3 +springBootVersion=4.0.4 # This usually matches the Spring Framework version dictated by springBootVersion -springVersion=7.0.5 +springVersion=7.0.6 springAiVersion=2.0.0-M3 sqliteJdbcVersion=3.51.2.0 From e5252c75a63db2383ea95e1757503f97511240c9 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Mon, 23 Mar 2026 07:54:30 -0700 Subject: [PATCH 4/8] Force more spring dependencies to use our official version --- build.gradle | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/build.gradle b/build.gradle index cb735be450..5915b505d3 100644 --- a/build.gradle +++ b/build.gradle @@ -378,6 +378,11 @@ allprojects { // Force consistency for dependencies from pipeline and query force "org.dom4j:dom4j:${dom4jVersion}" + // Force spring-ai components to bring in spring-* versions that match the rest of spring + force "org.springframework:spring-context-support:${springVersion}" + force "org.springframework:spring-messaging:${springVersion}" + force "org.springframework:spring-webflux:${springVersion}" + // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}" From 5507883c6c417b6f69ba9e5368b3b2c02bb126b5 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Mon, 23 Mar 2026 08:26:06 -0700 Subject: [PATCH 5/8] Force assertj version --- build.gradle | 3 +++ gradle.properties | 3 +++ 2 files changed, 6 insertions(+) diff --git a/build.gradle b/build.gradle index 5915b505d3..9d484c8e9b 100644 --- a/build.gradle +++ b/build.gradle @@ -383,6 +383,9 @@ allprojects { force "org.springframework:spring-messaging:${springVersion}" force "org.springframework:spring-webflux:${springVersion}" + // Force spring-ai components to bring in the AssertJ version we want + force "org.assertj:assertj-core:${assertjVersion}" + // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}" diff --git a/gradle.properties b/gradle.properties index 652a15fa85..2808adc087 100644 --- a/gradle.properties +++ b/gradle.properties @@ -107,6 +107,9 @@ apacheTomcatVersion=11.0.18 # tika asmVersion=9.9.1 +# Also defined in testAutomation/gradle.properties +assertjVersion=3.27.7 + # Microsoft library for sending OAuth2-authenticated notification emails via the Microsoft Graph API azureIdentityVersion=1.18.2 From e17f4f135f87749217edda4431b06b69c75bf890 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Tue, 24 Mar 2026 17:14:14 -0700 Subject: [PATCH 6/8] Fix version discrepancy with jsonschema-generator --- build.gradle | 9 ++++++++- gradle.properties | 5 +++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 9d484c8e9b..57608dcf13 100644 --- a/build.gradle +++ b/build.gradle @@ -383,9 +383,16 @@ allprojects { force "org.springframework:spring-messaging:${springVersion}" force "org.springframework:spring-webflux:${springVersion}" - // Force spring-ai components to bring in the AssertJ version we want + // Force spring-ai components to bring in the latest AssertJ version to avoid CVEs. Note that + // spring-ai 2.0.0-M3 probably pulled this in by mistake. https://github.com/spring-projects/spring-ai/issues/5646 force "org.assertj:assertj-core:${assertjVersion}" + // spring-ai 2.0.0-M3 was compiled against jsonschema-generator 4.38.0 (Jackson 2.x) but + // its pom mistakenly declares 5.0.0 (Jackson 3.x/tools.jackson), causing NoSuchMethodError + force "com.github.victools:jsonschema-generator:${jsonschemaGeneratorVersion}" + force "com.github.victools:jsonschema-module-jackson:${jsonschemaGeneratorVersion}" + force "com.github.victools:jsonschema-module-swagger-2:${jsonschemaGeneratorVersion}" + // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}" diff --git a/gradle.properties b/gradle.properties index 2808adc087..0b24150068 100644 --- a/gradle.properties +++ b/gradle.properties @@ -108,6 +108,7 @@ apacheTomcatVersion=11.0.18 asmVersion=9.9.1 # Also defined in testAutomation/gradle.properties +# This was probably added to spring-ai by mistake: https://github.com/spring-projects/spring-ai/issues/5646 assertjVersion=3.27.7 # Microsoft library for sending OAuth2-authenticated notification emails via the Microsoft Graph API @@ -315,6 +316,10 @@ springBootVersion=4.0.4 springVersion=7.0.6 springAiVersion=2.0.0-M3 +# spring-ai 2.0.0-M3 was compiled against 4.38.0 but its pom mistakenly declares 5.0.0, which uses +# Jackson 3.x (tools.jackson) instead of Jackson 2.x (com.fasterxml.jackson), causing NoSuchMethodError +jsonschemaGeneratorVersion=4.38.0 + sqliteJdbcVersion=3.51.2.0 # NLP and SAML bring stax2-api in as a transitive dependency but with very different versions. We force the later version. From ea9d448590421332c5bd2b85c262838bcd4a71fd Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Tue, 24 Mar 2026 17:53:57 -0700 Subject: [PATCH 7/8] Add -parameters to Java build so spring can resolve parameter names --- build.gradle | 1 + 1 file changed, 1 insertion(+) diff --git a/build.gradle b/build.gradle index 57608dcf13..084c20be3b 100644 --- a/build.gradle +++ b/build.gradle @@ -59,6 +59,7 @@ allprojects { JavaCompile compile -> compile.options.incremental = true // Gradle 3.4 compile.options.encoding = 'UTF-8' + compile.options.compilerArgs << '-parameters' // Preserve method parameter names for Spring AI reflection } } From 251de5b4d3f1738458c7979c77b87697c3c76c7d Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Wed, 25 Mar 2026 08:37:28 -0700 Subject: [PATCH 8/8] Correct version of jsonschema --- build.gradle | 6 ------ gradle.properties | 4 ---- 2 files changed, 10 deletions(-) diff --git a/build.gradle b/build.gradle index 084c20be3b..a4aa43b55f 100644 --- a/build.gradle +++ b/build.gradle @@ -388,12 +388,6 @@ allprojects { // spring-ai 2.0.0-M3 probably pulled this in by mistake. https://github.com/spring-projects/spring-ai/issues/5646 force "org.assertj:assertj-core:${assertjVersion}" - // spring-ai 2.0.0-M3 was compiled against jsonschema-generator 4.38.0 (Jackson 2.x) but - // its pom mistakenly declares 5.0.0 (Jackson 3.x/tools.jackson), causing NoSuchMethodError - force "com.github.victools:jsonschema-generator:${jsonschemaGeneratorVersion}" - force "com.github.victools:jsonschema-module-jackson:${jsonschemaGeneratorVersion}" - force "com.github.victools:jsonschema-module-swagger-2:${jsonschemaGeneratorVersion}" - // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}" diff --git a/gradle.properties b/gradle.properties index 0b24150068..6b7d04aa5b 100644 --- a/gradle.properties +++ b/gradle.properties @@ -316,10 +316,6 @@ springBootVersion=4.0.4 springVersion=7.0.6 springAiVersion=2.0.0-M3 -# spring-ai 2.0.0-M3 was compiled against 4.38.0 but its pom mistakenly declares 5.0.0, which uses -# Jackson 3.x (tools.jackson) instead of Jackson 2.x (com.fasterxml.jackson), causing NoSuchMethodError -jsonschemaGeneratorVersion=4.38.0 - sqliteJdbcVersion=3.51.2.0 # NLP and SAML bring stax2-api in as a transitive dependency but with very different versions. We force the later version.