LabKey · labkey-adam · Mar 20, 2026 · Mar 22, 2026 · Mar 22, 2026 · Mar 23, 2026
diff --git a/build.gradle b/build.gradle
@@ -59,6 +59,7 @@ allprojects {
         JavaCompile compile ->
             compile.options.incremental = true  // Gradle 3.4
             compile.options.encoding = 'UTF-8'
+            compile.options.compilerArgs << '-parameters'  // Preserve method parameter names for Spring AI reflection
     }
 }
 
@@ -314,6 +315,9 @@ allprojects {
                     force "net.java.dev.jna:jna:${jnaVersion}"
                     force "net.java.dev.jna:jna-platform:${jnaVersion}"
 
+                    // Spring AI 2.0 and Duo SDK bring in different versions
+                    force "net.bytebuddy:byte-buddy:${byteBuddyVersion}"
+
                     // Reactor - transitive dependency via azure-core; force for version consistency across modules
                     force "io.projectreactor:reactor-core:${reactorCoreVersion}"
 
@@ -375,6 +379,21 @@ allprojects {
                     // Force consistency for dependencies from pipeline and query
                     force "org.dom4j:dom4j:${dom4jVersion}"
 
+                    // Force spring-ai components to bring in spring-* versions that match the rest of spring
+                    force "org.springframework:spring-context-support:${springVersion}"
+                    force "org.springframework:spring-messaging:${springVersion}"
+                    force "org.springframework:spring-webflux:${springVersion}"
+
+                    // Force spring-ai components to bring in the latest AssertJ version to avoid CVEs. Note that
+                    // spring-ai 2.0.0-M3 probably pulled this in by mistake. https://github.com/spring-projects/spring-ai/issues/5646
+                    force "org.assertj:assertj-core:${assertjVersion}"
+
+                    // spring-ai 2.0.0-M3 was compiled against jsonschema-generator 4.38.0 (Jackson 2.x) but
+                    // its pom mistakenly declares 5.0.0 (Jackson 3.x/tools.jackson), causing NoSuchMethodError
+                    force "com.github.victools:jsonschema-generator:${jsonschemaGeneratorVersion}"
+                    force "com.github.victools:jsonschema-module-jackson:${jsonschemaGeneratorVersion}"
+                    force "com.github.victools:jsonschema-module-swagger-2:${jsonschemaGeneratorVersion}"
+
                     // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies
                     force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
 
@@ -390,6 +409,9 @@ allprojects {
                     // Force latest hadoop-hdfs-client for CVE-2021-37404, CVE-2022-25168, CVE-2022-26612, CVE-2021-25642, CVE-2021-33036, CVE-2023-26031
                     force "org.apache.hadoop:hadoop-hdfs-client:${hadoopHdfsClientVersion}"
 
+                    // Spring AI 2.0 brings in Jackson3. Force it to match embedded and mitigate CVEs.
+                    force "tools.jackson.core:jackson-core:${jackson3Version}"
+
                     dependencySubstitution {
                         // Because the client api artifact name is not the same as the directory structure, we use
                         // Gradle's dependency substitution so the dependency will appear correctly in the pom files that

diff --git a/gradle.properties b/gradle.properties
@@ -107,6 +107,10 @@ apacheTomcatVersion=11.0.18
 # tika
 asmVersion=9.9.1
 
+# Also defined in testAutomation/gradle.properties
+# This was probably added to spring-ai by mistake: https://github.com/spring-projects/spring-ai/issues/5646
+assertjVersion=3.27.7
+
 # Microsoft library for sending OAuth2-authenticated notification emails via the Microsoft Graph API
 azureIdentityVersion=1.18.2
 
@@ -117,6 +121,8 @@ batikVersion=1.19
 bouncycastlePgpVersion=1.83
 bouncycastleVersion=1.83
 
+byteBuddyVersion=1.18.7
+
 cglibNodepVersion=2.2.3
 
 checkerQualVersion=3.53.0
@@ -305,10 +311,14 @@ slf4jLog4jApiVersion=2.0.17
 snappyJavaVersion=1.1.10.8
 
 # Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version
-springBootVersion=4.0.3
+springBootVersion=4.0.4
 # This usually matches the Spring Framework version dictated by springBootVersion
-springVersion=7.0.5
-springAiVersion=2.0.0-M2
+springVersion=7.0.6
+springAiVersion=2.0.0-M3
+
+# spring-ai 2.0.0-M3 was compiled against 4.38.0 but its pom mistakenly declares 5.0.0, which uses
+# Jackson 3.x (tools.jackson) instead of Jackson 2.x (com.fasterxml.jackson), causing NoSuchMethodError
+jsonschemaGeneratorVersion=4.38.0
 
 sqliteJdbcVersion=3.51.2.0