**Release date:** 2026-05-05 **Type:** Security / dependency upgrade ### Summary Bumped Spring Boot, Spring Framework, Tomcat, Logback, Jackson, and Bouncy Castle to address known CVEs (including Spring Boot Actuator vulnerabilities). No application code changes; runtime/dependency upgrades only. ### Security fixes — dependency upgrades | Component | Old | New | |------------------|---------|-----------------| | Spring Boot | 3.4.5 | 3.5.12 | | Spring Framework | 6.2.11 | 6.2.17 | | Apache Tomcat | 11.0.10 | 11.0.21 | | Bouncy Castle | 1.79 | 1.84 | | Logback | — | 1.5.25 (pinned) | | Jackson BOM | — | 2.18.6 (pinned) | ### Files touched (upstream source repo) - `build.gradle.kts` - `gradle.properties` - `gradle/libs.versions.toml` ### Files touched (this repo) - `DocSigner-Java17/docsigner.war` - `DocSigner-Java21/docsigner.war` - `DocSigner-Java24/docsigner.war` ### Impact / compatibility - Spring Boot minor upgrade (3.4.x → 3.5.x) — review any deprecated auto-configuration in app code; Actuator endpoint behavior should be re-verified. - Tomcat patch upgrade within 11.0.x — no API changes expected. - Bouncy Castle minor upgrade (1.79 → 1.84) — verify signing/crypto flows.