MCP-440 Update dependencies resolution (#361)

nquinquenel · web-flow · commit 43f46b1cd66f · 2026-04-27T10:00:22.000+02:00
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -66,6 +66,30 @@ configurations {
 		extendsFrom(sqplugins)
 		isTransitive = true
 	}
+	all {
+		resolutionStrategy.eachDependency {
+			// Pulled in by xodus-entity-store:2.0.1
+			if (requested.group == "org.jetbrains.kotlin" && requested.name in listOf("kotlin-stdlib", "kotlin-stdlib-common")) {
+				useVersion("2.2.0")
+				because("CVE-2020-29582")
+			}
+			// Pulled in transitively by mcp-json-jackson2 and sonarlint-rpc-impl
+            if (requested.group == "com.fasterxml.jackson.core" && requested.name != "jackson-annotations") {
+                useVersion("2.21.1")
+				because("GHSA-72hv-8253-57qq")
+			}
+			// Pulled in by mcp-json-jackson3
+			if (requested.group == "tools.jackson.core") {
+				useVersion("3.1.2")
+				because("CVE-2026-29062 + GHSA-72hv-8253-57qq")
+			}
+			// Pulled in transitively by sonarlint-core
+			if (requested.group == "org.apache.commons" && requested.name == "commons-compress") {
+				useVersion("1.28.0")
+				because("CVE-2024-25710 + CVE-2024-26308")
+			}
+		}
+	}
 }
 
 dependencies {
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -9,7 +9,7 @@ cyclonedx-plugin = "2.4.1"
 
 sonar-php = "3.56.0.15870"
 
-mcp-server = "1.1.1"
+mcp-server = "1.1.2"
 commons-lang3 = "3.20.0"
 commons-text = "1.15.0"
 ayza = "10.0.4"
diff --git a/its/build.gradle.kts b/its/build.gradle.kts
@@ -40,6 +40,16 @@ repositories {
     }
 }
 
+configurations.all {
+    resolutionStrategy.eachDependency {
+        // Pulled in transitively by testcontainers:1.21.x
+        if (requested.group == "org.apache.commons" && requested.name == "commons-compress") {
+            useVersion("1.28.0")
+            because("CVE-2024-25710 + CVE-2024-26308")
+        }
+    }
+}
+
 dependencies {
     testImplementation(project(":"))
     testImplementation(libs.testcontainers)
