Development: Bump dependencies

[krusche]

Summary

Routine dependency maintenance: bumps several runtime and tooling dependencies to their latest compatible patch releases. No functional behaviour changes.

Checklist

General

• This is a small issue that I tested locally and was confirmed by another developer on a test server.
• Language: I followed the guidelines for inclusive, diversity-sensitive, and appreciative language.
• I chose a title conforming to the naming conventions for pull requests.

Motivation and Context

Keeping third-party dependencies current with upstream patch releases.

Description

• Bump Bouncy Castle bcpkix-jdk18on and bcprov-jdk18on from 1.83 → 1.84, and pin the transitive bcpg-jdk18on (pulled via sshd-git) to 1.84 for consistency.
• Override the Spring Boot BOM to pin Thymeleaf to 3.1.4.RELEASE via ext["thymeleaf.version"].
• Override the Spring Boot BOM to pin Tomcat embed to 11.0.21 via ext["tomcat.version"].
• Bump hono 4.12.12 → 4.12.14 in the root overrides.
• Add follow-redirects 1.16.0 to documentation/package.json overrides.

Resolved versions were verified via ./gradlew dependencyInsight and ./gradlew compileJava -x webapp (compiles cleanly).

Steps for Testing

Prerequisites: Docker running, local dev environment.

1. Pull the branch and run ./gradlew bootRun -x webapp — application starts cleanly.
2. Run npm install — lockfile installs without warnings/errors.
3. Smoke test a login flow (Thymeleaf email templates) and a git-based programming exercise (Bouncy Castle via sshd-git).

Summary by CodeRabbit

• Chores
  • Updated multiple dependency versions to improve compatibility and stability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6b1beb6d-ba5f-4de5-bb46-c2ac9b93b3cf

📥 Commits

Reviewing files that changed from the base of the PR and between 945f7ad and cca4530.

⛔ Files ignored due to path filters (2)

• documentation/package-lock.json is excluded by !**/package-lock.json
• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• build.gradle
• documentation/package.json
• package.json

---

Walkthrough

Updated three dependency and configuration files: Gradle build configuration now pins Thymeleaf to 3.1.4.RELEASE and Tomcat to 11.0.21, while upgrading Bouncy Castle libraries from 1.83 to 1.84. Node.js package overrides added version pins for follow-redirects (1.16.0) and updated hono (4.12.12 → 4.12.14).

Changes

Cohort / File(s)	Summary
Gradle Build Configuration build.gradle	Added Gradle ext property overrides for thymeleaf.version (3.1.4.RELEASE) and tomcat.version (11.0.21). Upgraded Bouncy Castle dependencies (bcpkix-jdk18on, bcprov-jdk18on, bcpg-jdk18on) from 1.83 to 1.84.
Node.js Package Overrides package.json, documentation/package.json	Added follow-redirects 1.16.0 override in documentation config. Updated hono from 4.12.12 to 4.12.14 in main package overrides.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Development: Bump dependencies' accurately summarizes the main change—routine dependency version bumps across multiple configuration files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/bump-dependencies

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Routine dependency maintenance to keep third‑party libraries aligned with patched releases (notably for CVE/GHSA fixes) across the main application build and the documentation site tooling.

Changes:

• Bump hono from 4.12.12 → 4.12.14 in root npm overrides (+ lockfile update).
• Pin follow-redirects to 1.16.0 for documentation/ via npm overrides (+ lockfile update).
• Update Gradle dependency pins: Bouncy Castle bcpkix/bcprov to 1.84 and explicitly pin transitive bcpg to 1.84; override Spring Boot BOM properties for Thymeleaf (3.1.4.RELEASE) and Tomcat (11.0.21).

Reviewed changes

Copilot reviewed 2 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
package.json	Updates root overrides to bump hono.
package-lock.json	Aligns lockfile resolution with the updated hono version.
documentation/package.json	Adds an override to pin follow-redirects for the documentation toolchain.
documentation/package-lock.json	Aligns lockfile resolution with the pinned follow-redirects version.
build.gradle	Pins patched versions for Bouncy Castle artifacts and overrides Spring Boot BOM properties for Thymeleaf/Tomcat.

Files not reviewed (1)

• documentation/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

End-to-End Test Results

Phase	Status	Details
All Tests	✅ Passed	Tests Passed ✅ Skipped ⚠️ Failed Time ⏱ All E2E Tests Report (PR) 253 ran 251 passed 2 skipped 0 failed 26m 49s

Test Strategy: Running all tests (configuration or infrastructure changes detected)

Overall: ✅ All E2E tests passed

🔗 Workflow Run · 📊 Test Report

[Claudia-Anthropica]

@krusche Clean dependency bump — Bouncy Castle, Thymeleaf, Tomcat, hono, and follow-redirects all pinned to patched versions with GHSA references. Looks good.