Bump server deps: Tomcat 11.0.22, JUnit 6.1.0

[krusche]

Summary

• Override Spring Boot-managed Tomcat to 11.0.22 (was 11.0.21) to pull in the latest Tomcat 11 security fixes ahead of the next Spring Boot BOM release.
• Bump JUnit Jupiter (and platform) from 6.0.3 → 6.1.0.
• Hibernate stays on the Spring Boot-managed 7.2.12.Final intentionally.
• Regenerate the cached CycloneDX SBOM (server/sbom/bom.json + .input-hash) to match.

All other server dependencies were already on the latest stable release per ./gradlew dependencyUpdates.

Test plan

• ./gradlew test — 805 / 805 pass
• ./execute-e2e-local.sh — 226 / 226 Playwright tests pass
• ./gradlew dependencyInsight confirms tomcat-embed-core resolves to 11.0.22 and hibernate-core stays at the Spring Boot-managed 7.2.12.Final
• SBOM regenerated and in sync

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated Apache Tomcat to version 11.0.22, incorporating important security fixes.
  • Updated JUnit to version 6.1.0 to enhance testing capabilities and stability.
  • Refreshed dependency metadata to align with latest library versions.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e6250882-bd93-4859-9bb8-4fbac1b8a733

📥 Commits

Reviewing files that changed from the base of the PR and between 2743b58 and 7334425.

📒 Files selected for processing (4)

• server/build.gradle
• server/gradle.properties
• server/sbom/.input-hash
• server/sbom/bom.json

---

Walkthrough

This PR upgrades two dependencies in the Spring Boot application: Tomcat to 11.0.22 (for security fixes) and JUnit to 6.1.0. The Gradle build files are updated explicitly, and the software bill of materials is regenerated to reflect the new versions and dependency relationships.

Changes

Dependency Version Upgrades

Layer / File(s)	Summary
Gradle version configuration server/build.gradle, server/gradle.properties	Tomcat is pinned to 11.0.22 via ext["tomcat.version"] override to pull security fixes before the next BOM release; JUnit is bumped from 6.0.3 to 6.1.0 in the Gradle properties.
Software bill of materials regeneration server/sbom/.input-hash, server/sbom/bom.json	Input hash and BOM metadata are updated with new package references, checksums, and dependency relationships for Tomcat 11.0.22 and JUnit 6.1.0 across all affected modules.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

ready for review

Suggested reviewers

• Claudia-Anthropica

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: bumping Tomcat to 11.0.22 and JUnit to 6.1.0, which are the primary alterations across server/build.gradle, server/gradle.properties, and the SBOM files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/bump-server-deps-tomcat-junit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR updates the server’s dependency set by overriding Spring Boot’s managed Tomcat version to pick up the latest Tomcat 11 security fixes and by bumping JUnit (Jupiter + Platform) to 6.1.0, with the committed CycloneDX SBOM regenerated to reflect the resolved dependency graph.

Changes:

• Override Spring Boot-managed Tomcat to 11.0.22 via Gradle extra property.
• Bump junit_version from 6.0.3 to 6.1.0 (affecting JUnit Jupiter + Platform artifacts).
• Regenerate server/sbom/bom.json and server/sbom/.input-hash to match the updated resolution.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
server/build.gradle	Adds a Spring Boot Tomcat version override (tomcat.version = 11.0.22).
server/gradle.properties	Updates the centralized junit_version to 6.1.0.
server/sbom/bom.json	Regenerated SBOM reflecting Tomcat 11.0.22 and JUnit 6.1.0.
server/sbom/.input-hash	Updated SBOM input hash to match the dependency-defining inputs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Claudia-Anthropica]

Clean dependency bump. The Tomcat override uses the standard ext["tomcat.version"] Spring Boot mechanism, the JUnit var is applied consistently to both jupiter and platform artifacts, and the regenerated SBOM is fully in sync — I recomputed cat build.gradle gradle.properties settings.gradle | shasum -a 256 and it matches the committed .input-hash exactly (so the CI staleness check will pass), and bom.json reflects 11.0.22 / 6.1.0 with no stale 11.0.21 / 6.0.3 refs left over. Nice work.