The tunnel-server fatjar was resolving vulnerable transitive dependencies from older Spring Boot/Spring Security/Tomcat lines. This update moves tunnel-server to a patched dependency line so spring-security-* and embedded Tomcat resolve to non-vulnerable versions.

• Dependency line upgrade (tunnel-server only)

  • Bumped tunnel-server to spring-boot.version: 3.5.11.
  • Dropped prior explicit pinning of Spring Security 5.8.x and Tomcat 9.x in favor of Boot-managed versions from the upgraded BOM.
  • Added local dependencyManagement alignment for logging to avoid parent BOM drift:
    • org.slf4j:slf4j-api → 2.0.17
    • ch.qos.logback:logback-classic/core → 1.5.32

• Spring Security 6 migration in tunnel-server

  • Replaced WebSecurityConfigurerAdapter with SecurityFilterChain bean configuration.
  • Updated authorization DSL to authorizeHttpRequests(...) with Customizer.withDefaults() for form login.

• Jakarta namespace migration

  • Updated servlet imports used by tunnel-server web controllers:
    • javax.servlet.http.HttpServletRequest → jakarta.servlet.http.HttpServletRequest

Example of the security config migration:

@Bean
SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
    httpSecurity.authorizeHttpRequests((authorize) -> authorize
            .requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated()
            .anyRequest().permitAll())
        .formLogin(Customizer.withDefaults());

    if (arthasProperties.isEnableIframeSupport()) {
        httpSecurity.headers((headers) -> headers.frameOptions((frameOptions) -> frameOptions.disable()));
    }
    return httpSecurity.build();
}

• Fixes Bump Spring Boot Version to Fix Outdated Dependencies #3139

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.