security: upgrade spring mvc and tomcat.embed (#6339)

Author: slievrly

changes/en-us/2.x.md

@@ -96,6 +96,7 @@ Add changes here for all PR submitted to the 2.x branch.
 - [[#6145](https://github.com/apache/incubator-seata/pull/6145)] upgrade jettison to 1.5.4
 - [[#6144](https://github.com/apache/incubator-seata/pull/6144)] upgrade nacos client to 1.4.6
 - [[#6147](https://github.com/apache/incubator-seata/pull/6147)] upgrade kafka-clients to 3.6.1
+- [[#6339](https://github.com/apache/incubator-seata/pull/6339)] upgrade spring mvc and tomcat.embed
 - [[#6340](https://github.com/apache/incubator-seata/pull/6340)] upgrade and tidy some dependencies
 - [[#6350](https://github.com/apache/incubator-seata/pull/6350)] remove enableDegrade properties
 - [[#6349](https://github.com/apache/incubator-seata/pull/6349)] transfer dockerhub repo

changes/zh-cn/2.x.md

@@ -96,6 +96,7 @@
 - [[#6144](https://github.com/apache/incubator-seata/pull/6144)] 升级Nacos依赖版本至1.4.6
 - [[#6145](https://github.com/apache/incubator-seata/pull/6145)] 升级 jettison依赖版本至1.5.4
 - [[#6147](https://github.com/apache/incubator-seata/pull/6147)] 升级 kafka-clients依赖至3.6.1
+- [[#6339](https://github.com/apache/incubator-seata/pull/6339)] 升级 spring mvc 和 tomcat.embed 依赖
 - [[#6340](https://github.com/apache/incubator-seata/pull/6340)] 升级和整理依赖
 - [[#6350](https://github.com/apache/incubator-seata/pull/6350)] 移除 enableDegrade 配置
 

console/pom.xml

@@ -34,6 +34,8 @@
     <properties>
         <spring-boot-for-server.version>2.7.17</spring-boot-for-server.version>
         <spring-framework-for-server.version>5.3.30</spring-framework-for-server.version>
+        <snakeyaml-for-server.version>2.0</snakeyaml-for-server.version>
+        <tomcat-embed.version>9.0.83</tomcat-embed.version>
     </properties>
 
     <dependencyManagement>
@@ -70,6 +72,16 @@
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
+            <dependency>
+                <groupId>org.yaml</groupId>
+                <artifactId>snakeyaml</artifactId>
+                <version>${snakeyaml-for-server.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-core</artifactId>
+                <version>${tomcat-embed.version}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 
@@ -89,8 +101,12 @@
             <artifactId>spring-boot-starter-web</artifactId>
             <exclusions>
                 <exclusion>
-                    <artifactId>snakeyaml</artifactId>
+                    <groupId>org.apache.tomcat.embed</groupId>
+                    <artifactId>tomcat-embed-core</artifactId>
+                </exclusion>
+                <exclusion>
                     <groupId>org.yaml</groupId>
+                    <artifactId>snakeyaml</artifactId>
                 </exclusion>
             </exclusions>
         </dependency>
@@ -125,6 +141,10 @@
             <artifactId>jjwt-jackson</artifactId>
             <scope>runtime</scope>
         </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-core</artifactId>
+        </dependency>
     </dependencies>
     <profiles>
         <profile>

dependencies/pom.xml

@@ -119,6 +119,10 @@
         <kotlin.version>1.4.32</kotlin.version>
         <kotlin-coroutines.version>1.4.3</kotlin-coroutines.version>
 
+        <!-- # for web -->
+        <spring-webmvc.version>5.3.26</spring-webmvc.version>
+        <tomcat-embed.version>9.0.83</tomcat-embed.version>
+
         <!-- # for test -->
         <mockito.version>4.11.0</mockito.version>
         <assertj-core.version>3.12.2</assertj-core.version>
@@ -157,6 +161,10 @@
                         <groupId>org.springframework</groupId>
                         <artifactId>spring-framework-bom</artifactId>
                     </exclusion>
+                    <exclusion>
+                        <groupId>org.apache.tomcat.embed</groupId>
+                        <artifactId>tomcat-embed-core</artifactId>
+                    </exclusion>
                 </exclusions>
                 <type>pom</type>
                 <scope>import</scope>
@@ -773,6 +781,17 @@
                 <artifactId>janino</artifactId>
                 <version>${janino-version}</version>
             </dependency>
+
+            <!-- web -->
+            <dependency>
+                <groupId>org.springframework</groupId>
+                <artifactId>spring-webmvc</artifactId>
+                <version>${spring-webmvc.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-core</artifactId>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 </project>

server/pom.xml

@@ -34,6 +34,8 @@
     <properties>
         <spring-boot-for-server.version>2.7.17</spring-boot-for-server.version>
         <spring-framework-for-server.version>5.3.30</spring-framework-for-server.version>
+        <snakeyaml-for-server.version>2.0</snakeyaml-for-server.version>
+        <tomcat-embed.version>9.0.83</tomcat-embed.version>
     </properties>
 
     <dependencyManagement>
@@ -70,6 +72,16 @@
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
+            <dependency>
+                <groupId>org.yaml</groupId>
+                <artifactId>snakeyaml</artifactId>
+                <version>${snakeyaml-for-server.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-core</artifactId>
+                <version>${tomcat-embed.version}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 
@@ -84,8 +96,12 @@
                     <groupId>org.apache.logging.log4j</groupId>
                 </exclusion>
                 <exclusion>
-                    <artifactId>snakeyaml</artifactId>
+                    <groupId>org.apache.tomcat.embed</groupId>
+                    <artifactId>tomcat-embed-core</artifactId>
+                </exclusion>
+                <exclusion>
                     <groupId>org.yaml</groupId>
+                    <artifactId>snakeyaml</artifactId>
                 </exclusion>
             </exclusions>
         </dependency>
@@ -257,6 +273,10 @@
             <groupId>org.codehaus.janino</groupId>
             <artifactId>janino</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-core</artifactId>
+        </dependency>
     </dependencies>
 
     <build>

test-mock-server/pom.xml

@@ -41,6 +41,7 @@
     </build>
 
     <dependencies>
+        <!-- The actual spring-related dependencies that take effect are from the seata-dependencies module, not the seata-server module-->
         <dependency>
             <groupId>org.apache.seata</groupId>
             <artifactId>seata-server</artifactId>

test/pom.xml

@@ -49,6 +49,8 @@
             <artifactId>seata-tm</artifactId>
             <version>${project.version}</version>
         </dependency>
+
+<!-- The actual spring-related dependencies that take effect are from the seata-dependencies module, not the seata-server module-->
         <dependency>
             <groupId>${project.groupId}</groupId>
             <artifactId>seata-server</artifactId>