From 6040f372161c33fb0caf4020188dd8ee53b2d36f Mon Sep 17 00:00:00 2001
From: MichaelLitschauer <michael.litschauer@gmail.com>
Date: Wed, 10 Jun 2026 09:53:12 +0200
Subject: [PATCH] =?UTF-8?q?deps(phase2):=20upgrade=20Spring=20Boot=202.4.5?=
 =?UTF-8?q?=20=E2=86=92=202.7.18=20(last=202.x=20LTS)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes CVEs in Spring Boot 2.4.5 stack:
- CVE-2022-22965 Spring4Shell (9.8), CVE-2022-22950 SpEL DoS (6.5),
  CVE-2023-20883 MVC DoS (7.5), CVE-2022-22978 security auth bypass (9.8)
- Logback 1.2.3 → 1.2.12, snakeyaml 1.27 → 1.30, spring-core 5.3.6 → 5.3.31
- Spring Security BOM-managed → 5.7.11 (removed explicit version pin)
- io.spring.dependency-management plugin 1.0.11 → 1.1.6

Workarounds for legacy components (removed in upcoming phases):
- spring.mvc.pathmatch.matching-strategy=ant_path_matcher: SpringFox
  breaks with Boot 2.6+ default path_pattern_parser (removed in Phase 4)
- spring.main.allow-circular-references=true: Keycloak adapter 6.0.1
  has a circular reference between securityConfig and KeycloakConfigResolver
  that Boot 2.6 now rejects by default (removed in Phase 5)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 build.gradle                       | 9 ++++-----
 src/main/resources/application.yml | 5 +++++
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/build.gradle b/build.gradle
index 4366107..9664e59 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,7 +1,7 @@
 plugins {
-    id 'org.springframework.boot' version '2.4.5'
+    id 'org.springframework.boot' version '2.7.18'
     id 'com.palantir.docker' version '0.36.0'
-    id "io.spring.dependency-management" version "1.0.11.RELEASE"
+    id "io.spring.dependency-management" version "1.1.6"
     id 'java'
     id 'jacoco'
 }
@@ -14,8 +14,7 @@ ext {
     junitVersion = '5.11.4'
     keycloakVersion = '6.0.1'
     lombokVersion = '1.18.38'
-    springBootVersion = '2.4.5'
-    springSecurityVersion = '5.4.6'
+    springBootVersion = '2.7.18'
     testContainersVersion = '1.20.6'
     swaggerVersion = '2.9.2'
 }
@@ -93,7 +92,7 @@ dependencies {
 
     // Test
     testImplementation "org.springframework.boot:spring-boot-starter-test:${springBootVersion}"
-    testImplementation "org.springframework.security:spring-security-test:${springSecurityVersion}"
+    testImplementation "org.springframework.security:spring-security-test"
     testImplementation "org.junit.jupiter:junit-jupiter:${junitVersion}"
     testImplementation "org.testcontainers:junit-jupiter:${testContainersVersion}"
 }
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index 6752ca1..18ff02f 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -1,6 +1,11 @@
 spring:
   profiles:
     active: dev
+  mvc:
+    pathmatch:
+      matching-strategy: ant_path_matcher
+  main:
+    allow-circular-references: true
 
 server:
   port: 8001