[Snyk] Fix for 9 vulnerabilities

[snyk-io-us]

Snyk has created this PR to fix 9 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• todolist-goof/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Remote Code Execution (RCE) SNYK-JAVA-ORGAPACHESTRUTS-6102825	921	org.apache.struts:struts2-core: 6.3.0 -> 7.1.1 No Path Found Mature
	Remote Code Execution (RCE) SNYK-JAVA-ORGAPACHESTRUTS-8496612	811	org.apache.struts:struts2-core: 6.3.0 -> 7.1.1 Major version upgrade Reachable Proof of Concept
	Incomplete Cleanup SNYK-JAVA-ORGAPACHESTRUTS-14172798	225	org.apache.struts:struts2-core: 6.3.0 -> 7.1.1 No Path Found Proof of Concept
	Incomplete Cleanup SNYK-JAVA-ORGSPRINGFRAMEWORK-16109615	154	org.springframework:spring-web: 3.2.6.RELEASE -> 6.2.17 Major version upgrade No Path Found No Known Exploit
	Uncontrolled Recursion SNYK-JAVA-ORGAPACHECOMMONS-10734078	145	org.apache.struts:struts2-core: 6.3.0 -> 7.1.1 Major version upgrade No Path Found No Known Exploit
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-COMMONSFILEUPLOAD-10363252	126	org.apache.struts:struts2-core: 6.3.0 -> 7.1.1 No Path Found No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-ORGAPACHESTRUTS-6100744	60	org.apache.struts:struts2-core: 6.3.0 -> 7.1.1 No Path Found No Known Exploit
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-ORGSPRINGFRAMEWORK-16109618	50	org.springframework:spring-web: 3.2.6.RELEASE -> 6.2.17 Major version upgrade No Path Found No Known Exploit
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JAVA-COMMONSIO-8161190	45	org.apache.struts:struts2-core: 6.3.0 -> 7.1.1 No Path Found No Known Exploit

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling
🦉 Uncontrolled Resource Consumption ('Resource Exhaustion')
🦉 Remote Code Execution (RCE)

[snyk-io-us]

This upgrade contains two major, high-risk version migrations. The upgrade of Spring Web from 3.2 to 6.2 is exceptionally complex and will require a multi-stage migration effort, including a mandatory update to Java 17 and a complete migration to Jakarta EE. The Struts upgrade is also a major version change with significant breaking changes.

org.springframework:spring-web@3.2.6.RELEASE → 6.2.17

Risk: HIGH

This is a massive upgrade spanning three major versions (4.x, 5.x, and 6.x) and over a decade of framework evolution. Direct migration is not feasible; this will require a staged upgrade and extensive code refactoring. Attempting this jump in a single step is extremely high risk.

Key Breaking Changes:

• Java 17 Baseline: Spring Framework 6 requires Java 17 or later.
• Jakarta EE 9+ Migration: This is the most significant breaking change. Spring 6 is based on the jakarta.* namespace, replacing the javax.* namespace used in previous versions. This requires:
  • Updating all imports from javax.servlet.* to jakarta.servlet.*, javax.persistence.* to jakarta.persistence.*, etc.
  • Upgrading to a compatible web server like Tomcat 10.1+ or Jetty 11+.
  • Upgrading to compatible versions of other libraries, such as Hibernate ORM 5.6+ (with the jakarta classifier) or 6.1+.
• Removed APIs and Integrations: Numerous features and classes deprecated in versions 4 and 5 have been removed in version 6. This includes support for Apache Commons FileUpload, Tiles, Velocity, and many other integrations.
• Core Framework Changes: Many internal behaviors and APIs have changed. For example, HttpMethod is now a class instead of an enum, and controller detection is stricter.

Recommendation: Do not merge this upgrade directly. A dedicated, multi-sprint migration plan is required. The recommended path is to upgrade incrementally: 3.2 → 4.3 → 5.3 → 6.2, addressing breaking changes and deprecations at each stage.

org.apache.struts:struts2-core@6.3.0 → 7.1.1

Risk: HIGH

This is a major version upgrade from Struts 6 to 7. While less complex than the Spring migration, it introduces significant breaking changes that require developer action.

Key Breaking Changes:

• Java 17 Requirement: Struts 7 requires Java 17 or later to run.
• Jakarta EE Migration: Requires a servlet container that supports Jakarta Servlet API 6.
• Package Refactoring: The core XWork2 package com.opensymphony.xwork2 has been renamed and migrated to org.apache.struts2. A search and replace will be necessary.
• Security Hardening: Defaults have been made more secure, which may affect existing application behavior. This includes stricter namespace matching and limits on OGNL expression length.
• Removed Plugins: Support for DWR and Sitemesh plugins has been removed.

Recommendation: Follow the official Struts 6 to 7 migration guide. The changes are well-documented but will require careful code and configuration updates.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[snyk-io-us]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[thavelock]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[thavelock]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[thavelock]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.