SWI-3723 [Snyk] Fix for 1 vulnerabilities

[bwappsec]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• samples/server/petstore/kotlin-springboot-reactive/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924	170	org.springdoc:springdoc-openapi-webflux-ui: 1.6.8 -> 1.7.0 Major version upgrade No Path Found Proof of Concept

Breaking Change Risk

Notice: This assessment is enhanced by AI.

Vulnerabilities that could not be fixed

• Upgrade:
  • Could not upgrade com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.13.5 to com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.18.6; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/com/fasterxml/jackson/jackson-bom/2.13.5/jackson-bom-2.13.5.pom
• Could not upgrade com.fasterxml.jackson.dataformat:jackson-dataformat-yaml@2.13.5 to com.fasterxml.jackson.dataformat:jackson-dataformat-yaml@2.18.6; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/com/fasterxml/jackson/jackson-bom/2.13.5/jackson-bom-2.13.5.pom
• Could not upgrade com.fasterxml.jackson.datatype:jackson-datatype-jsr310@2.13.5 to com.fasterxml.jackson.datatype:jackson-datatype-jsr310@2.18.6; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/com/fasterxml/jackson/jackson-bom/2.13.5/jackson-bom-2.13.5.pom
• Could not upgrade org.springframework.boot:spring-boot-starter-webflux@2.7.15 to org.springframework.boot:spring-boot-starter-webflux@4.0.0; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/2.7.15/spring-boot-dependencies-2.7.15.pom

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[bwappsec]

This upgrade contains a major version update to Spring Boot from 2.7.15 to 4.0.0, which introduces significant breaking changes. The target version 4.0.0 is a future release (expected late 2025); this analysis assumes the intended upgrade is to the current stable Spring Boot 3.x line, which is already a major migration.

org.springframework.boot:spring-boot-starter-webflux@2.7.15 → 4.0.0 (Assumed 3.x) - HIGH RISK

This is a major and breaking upgrade that requires significant developer action.

• Java 17 Required: Spring Boot 3.0 requires Java 17 as the minimum version. [22, 27, 28, 31]
• Jakarta EE Migration: All dependencies and code must be migrated from Java EE (javax.*) to Jakarta EE (jakarta.*) packages. This is a major source code change. [27, 31]
• Configuration Property Changes: Numerous configuration properties have been renamed or removed. You must use the spring-boot-properties-migrator module to identify and update your application.properties or application.yml files. [23, 24]
• Spring Security 6.0: The upgrade pulls in Spring Security 6.0, which has its own set of breaking changes and migration steps. [23]

org.springdoc:springdoc-openapi-webflux-ui@1.6.8 → 1.7.0 - HIGH RISK (Incompatible)

This upgrade is incompatible with the move to Spring Boot 3.x.

• springdoc-openapi version 1.x is only compatible with Spring Boot 2.x. [6, 18, 34]
• For Spring Boot 3.x, you must upgrade to springdoc-openapi version 2.x. [3, 6, 19]

com.fasterxml.jackson.* upgrades (2.13.5 → 2.18.6) - MEDIUM RISK

While these are minor version bumps, they cross several releases and introduce changes that require verification:

• Stricter Parsing & Security Limits: Jackson 2.15 introduced new default processing limits (e.g., maximum string length) for security reasons, and version 2.17 enforces stricter parsing for numbers represented as strings. [2, 7, 11, 17]
• Behavioral Changes: The precedence of @JsonIgnore over @JsonProperty was changed in version 2.14, which could alter serialization behavior. [15]

Recommendation: This is a major migration effort that cannot be completed without significant code and configuration changes. The Spring Boot upgrade from 2.x to 3.x should be handled as a dedicated project. The springdoc-openapi dependency must be updated to a compatible 2.x version, not 1.7.0.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[bwappsec]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.