Merge branch 'main' into dependabot/gradle/com.atlassian.oai-swagger-request-validator-core-2.46.1

Author: pboos

gradle/libs.versions.toml

@@ -1,10 +1,10 @@
 [versions]
 java = "21"
-spring-boot = "4.0.4"
+spring-boot = "4.0.5"
 spring-dependency-management = "1.1.7"
 openapi-generator = "7.20.0"
 openapi-tools = "0.2.9"
-swagger = "2.2.45"
+swagger = "2.2.46"
 swagger-request-validator = "2.46.1"
 jakarta-validation = "3.1.1"
 lombok = "1.18.44"

openapi-validation-core/build.gradle

@@ -13,6 +13,12 @@ dependencies {
         implementation('org.mozilla:rhino:1.9.0') {
             because 'CVE-2025-66453: Rhino before 1.9.0 has high CPU usage and potential DoS when passing specific numbers to toFixed() function. See https://github.com/mozilla/rhino/security/advisories/GHSA-3w8q-xq97-5j7x'
         }
+        implementation('tools.jackson.core:jackson-core') {
+            version {
+                strictly '[3.1.1,)'
+            }
+            because 'GHSA-2m67-wjpj-xhg9: Jackson Core 3.0.0-3.1.0 does not consistently enforce maxDocumentLength constraint, allowing DoS attacks. See https://github.com/getyourguide/openapi-validation-java/security/dependabot/41'
+        }
 //        implementation('org.yaml:snakeyaml:1.33') {
 //            because 'Vulnerability in 1.33 is not yet fixed. See: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in' +
 //                    'https://devhub.checkmarx.com/cve-details/CVE-2022-41854/' +