chore: dep updates (#175)

* chore: upgrade Node 24.15.0, consolidate Jackson to 3.x only

* chore: bump deps, force patched plugin transitive deps

- Jackson BOM 3.1.1 -> 3.1.2
- MongoDB driver 5.6.4 -> 5.6.5
- SnakeYAML 2.2 -> 2.6
- OWASP dependency-check plugin 12.2.0 -> 12.2.1
- Force plexus-utils 3.6.1 (CVE fix, via cyclonedx-gradle-plugin)
- Force bcpg-jdk18on 1.84 (CVE fix, via dependency-check-gradle)

* ci: re-introduce OWASP depcheck as primary Gradle CVE scan

* ci: fix depcheck job - restore NVD cache, OSS index creds, timeout

* ci: fix depcheck NVD cache key - use stable global key with save-always

* ci: revert to grype for Gradle CVE scan, disable depcheck

Author: coopernetes

.github/workflows/ci.yml

@@ -27,7 +27,7 @@ jobs:
 
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # ratchet:actions/setup-node@v6
         with:
-          node-version: '24.14.1'
+          node-version: '24.15.0'
           cache: npm
           cache-dependency-path: git-proxy-java-dashboard/frontend/package-lock.json
 

.github/workflows/codeql.yml

@@ -39,7 +39,7 @@ jobs:
         if: matrix.language == 'java-kotlin'
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # ratchet:actions/setup-node@v6
         with:
-          node-version: '24.14.1'
+          node-version: '24.15.0'
           cache: npm
           cache-dependency-path: git-proxy-java-dashboard/frontend/package-lock.json
 

.github/workflows/cve.yml

@@ -38,6 +38,7 @@ jobs:
 
   grype-gradle:
     name: CVE / Gradle
+    if: true
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -77,3 +78,42 @@ jobs:
           name: sbom-gradle
           path: build/reports/cyclonedx/bom.json
           retention-days: 30
+
+  depcheck:
+    name: CVE / Dependency Check (Gradle)
+    if: false # disabled — NVD API reliability issues; re-enable when stable
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
+
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # ratchet:actions/setup-java@v5
+        with:
+          distribution: temurin
+          java-version: 21
+          cache: gradle
+
+      - name: Cache NVD database
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # ratchet:actions/cache@v5
+        with:
+          path: ~/.gradle/dependency-check-data/
+          key: depcheck-db
+          save-always: true
+
+      - name: Run OWASP Dependency Check
+        timeout-minutes: 180
+        env:
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+          OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }}
+          OSS_INDEX_TOKEN: ${{ secrets.OSS_INDEX_TOKEN }}
+        run: ./gradlew dependencyCheckAggregate --info
+
+      - name: Upload report
+        if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7
+        with:
+          name: dependency-check-report
+          path: ${{ github.workspace }}/build/reports/dependency-check*
+          retention-days: 30

Dockerfile

@@ -6,9 +6,9 @@ FROM docker.io/eclipse-temurin:21-jdk@sha256:06a4f4be86d459307036eb97c55a24686bd
 # Install Node.js directly from the official distribution with SHA256 verification.
 # To update: download the new tarball, verify against nodejs.org/dist/vX.Y.Z/SHASUMS256.txt,
 # and update both NODE_VERSION and NODE_SHA256 below.
-ARG NODE_VERSION=24.14.1
-ARG NODE_SHA256_AMD64=ace9fa104992ed0829642629c46ca7bd7fd6e76278cb96c958c4b387d29658ea
-ARG NODE_SHA256_ARM64=734ff04fa7f8ed2e8a78d40cacf5ac3fc4515dac2858757cbab313eb483ba8a2
+ARG NODE_VERSION=24.15.0
+ARG NODE_SHA256_AMD64=44836872d9aec49f1e6b52a9a922872db9a2b02d235a616a5681b6a85fec8d89
+ARG NODE_SHA256_ARM64=73afc234d558c24919875f51c2d1ea002a2ada4ea6f83601a383869fefa64eed
 ARG TARGETARCH
 RUN case "${TARGETARCH}" in \
       arm64) NODE_ARCH=linux-arm64; NODE_SHA256="${NODE_SHA256_ARM64}" ;; \

build.gradle

@@ -1,6 +1,15 @@
+buildscript {
+    configurations.configureEach {
+        resolutionStrategy {
+            force 'org.codehaus.plexus:plexus-utils:3.6.1'
+            force 'org.bouncycastle:bcpg-jdk18on:1.84'
+        }
+    }
+}
+
 plugins {
     id 'com.diffplug.spotless' version '8.4.0' apply false
-    id 'org.owasp.dependencycheck' version '12.2.0'
+    id 'org.owasp.dependencycheck' version '12.2.1'
     id 'org.cyclonedx.bom' version '3.2.4'
     id 'com.github.node-gradle.node' version '7.1.0' apply false
 }
@@ -27,19 +36,18 @@ ext {
     hikariVersion = '7.0.2'
     h2Version = '2.4.240'
     postgresVersion = '42.7.10'
-    mongoVersion = '5.6.4'
+    mongoVersion = '5.6.5'
 
     // Jackson
-    jacksonBomVersion = '3.1.1'
-    jacksonLegacyBomVersion = '2.18.6'
+    jacksonBomVersion = '3.1.2'
 
     // Spring
     springVersion = '7.0.6'
     springSecurityVersion = '7.0.4'
     springSessionVersion = '4.0.2'
 
     // YAML
-    snakeyamlVersion = '2.2'
+    snakeyamlVersion = '2.6'
 
     // Gestalt config
     gestaltVersion = '0.37.2'

git-proxy-java-server/build.gradle

@@ -62,9 +62,7 @@ dependencies {
     implementation "com.github.gestalt-config:gestalt-core:${gestaltVersion}"
     implementation "com.github.gestalt-config:gestalt-yaml:${gestaltVersion}"
 
-    // Jackson BOM — keeps all Jackson modules in sync
-    implementation platform("com.fasterxml.jackson:jackson-bom:${jacksonLegacyBomVersion}")
-    implementation 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310'
+    // Jackson BOM — inherited from core's api platform(); JSR310 support is built into databind 3.x
 
     // Database drivers - include all so standalone Jetty server can use any backend
     runtimeOnly "com.h2database:h2:${h2Version}"

mise.toml

@@ -1,3 +1,3 @@
 [tools]
 java = "temurin-21"
-node = "24.14.1"
+node = "24.15.0"