From e2daa6bbcad1fe0ee0e4c34e6b41e62939c38ee8 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Thu, 11 Dec 2025 11:30:59 -0800
Subject: [PATCH 1/3] Suppress Rhino complaint for now (#1233)

---
 dependencyCheckSuppression.xml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index 423ec9f23d..199d8ab5db 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -248,4 +248,16 @@
        <packageUrl regex="true">^pkg:maven/com\.google\.code\.gson/gson@.*$</packageUrl>
        <vulnerabilityName>CVE-2025-53864</vulnerabilityName>
     </suppress>
+    
+    <!--
+    Rhino 1.7R3 is getting flagged with a potential DoS issue when toFixed() is called on very small floating point numbers.
+    Upgrading to a fixed version is not trivial. See https://github.com/LabKey/internal-issues/issues/724 for details.
+    -->
+    <suppress>
+       <notes><![CDATA[
+       file name: rhino-1.7R3.jar
+       ]]></notes>
+       <packageUrl regex="true">^pkg:maven/org\.mozilla/rhino@.*$</packageUrl>
+       <vulnerabilityName>CVE-2025-66453</vulnerabilityName>
+    </suppress>
 </suppressions>

From 9a09528feeb7bfd37ed41e3900b9d95bba24d0e4 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Wed, 17 Dec 2025 17:03:47 -0800
Subject: [PATCH 2/3] Update to the latest Netty version (#1240)

---
 build.gradle      | 2 +-
 gradle.properties | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/build.gradle b/build.gradle
index 52d835983e..b62d153542 100644
--- a/build.gradle
+++ b/build.gradle
@@ -331,7 +331,7 @@ allprojects {
                     force "org.bouncycastle:bcprov-jdk18on:${bouncycastleVersion}"
                     // force consistency in docker and connectors and saml
                     force "org.bouncycastle:bcpkix-jdk18on:${bouncycastleVersion}"
-                    // docker dependency: force to mitigate CVEs in 4.1.46
+                    // docker dependency: force to mitigate CVEs
                     force "io.netty:netty-resolver:${nettyVersion}"
                     force "io.netty:netty-resolver-dns:${nettyVersion}"
                     force "io.netty:netty-handler:${nettyVersion}"
diff --git a/gradle.properties b/gradle.properties
index dc3e4fb21a..05a353e976 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -135,7 +135,7 @@ commonsLangVersion=2.6
 commonsLoggingVersion=1.3.5
 commonsMath3Version=3.6.1
 commonsPoolVersion=1.6
-commonsTextVersion=1.13.1
+commonsTextVersion=1.15.0
 commonsValidatorVersion=1.9.0
 commonsVfs2Version=2.10.0
 
@@ -247,7 +247,7 @@ luceneVersion=9.12.2
 mssqlJdbcVersion=13.2.1.jre11
 
 # force for docker
-nettyVersion=4.2.5.Final
+nettyVersion=4.2.9.Final
 
 objenesisVersion=1.0
 

From 34870de35a0d4de9870fb6aff0f06d79569f672a Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Fri, 2 Jan 2026 12:17:12 -0800
Subject: [PATCH 3/3] Update log4j2 to the latest version (#1248)

---
 gradle.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gradle.properties b/gradle.properties
index 05a353e976..1b4d19d59c 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -238,7 +238,7 @@ jxlVersion=2.6.3
 
 kaptchaVersion=2.3
 
-log4j2Version=2.24.3
+log4j2Version=2.25.3
 
 lombokVersion=1.18.38