Update client and server dependencies

[krusche]

Summary

Updates client and server dependencies to current versions, with the supporting build/test fixes needed to keep everything green.

Client

• Mantine 9.2.0 → 9.3.1, TipTap 3.23.5 → 3.26.1, React/react-dom 19.2.6 → 19.2.7, react-router 7.15.1 → 7.17.0, DOMPurify 3.4.5 → 3.4.10, dayjs 1.11.20 → 1.11.21.
• ESLint / Webpack / Vitest / Prettier / Playwright toolchains bumped (patch/minor).
• pnpm 11.2.2 → 11.7.0 (packageManager).
• Pinned a few transitive dependencies to current versions via pnpm overrides.
• TypeScript intentionally kept at 5.9.3 — 6.0 is a breaking change for our side-effect CSS imports (TS2882).

Server

• Spring Boot 4.0.6 → 4.1.0 — brings Hibernate 7.4.1, Logback 1.5.34, and Netty 4.2.15.Final via the BOM. Removed the explicit Tomcat/Netty version overrides that the 4.1.0 BOM now supersedes (keeping them would have downgraded Netty).
• Build/test tooling: Spotless 8.5.1 → 8.7.0, Modernizer 1.13.0 → 1.14.0, gradle-git-properties 3.0.0 → 4.0.1, GreenMail 2.1.8 → 2.1.9.
• Fixed pre-existing Checkstyle violations surfaced by the build (Javadoc on two service methods + braces in a test).

Docker

• Pinned mailpit to v1.30.1; all other images were already on their latest versions.

Tooling

• Fixed the local e2e runner (execute-e2e-local.sh) to serve the static bundle with serve.e2e.json, matching CI. Without it, the Keycloak silent-check-sso iframe received the SPA fallback (index.html) instead of the real page, which broke the login flow in local e2e runs.
• Regenerated client + server SBOMs.

Verification

• Client: type-check, lint, production build, and unit tests pass.
• Server: full ./gradlew build — 864/864 tests pass, Checkstyle clean.
• e2e: full Playwright suite green locally (two fresh-DB runs).

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes

  • Resolved E2E testing issues with authentication configuration to prevent SPA fallback behavior in local testing environments

• Chores

  • Updated frontend dependencies including package manager and core libraries for stability and security improvements
  • Updated backend dependencies and build tooling plugins
  • Updated email service container to latest patch version

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6522bee5-c44c-45e0-b5ce-fbc3d027925b

📥 Commits

Reviewing files that changed from the base of the PR and between 1ab22b7 and 3cf2174.

⛔ Files ignored due to path filters (1)

• client/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (14)

• .github/workflows/e2e_tests.yml
• client/package.json
• client/pnpm-workspace.yaml
• client/sbom/.lock-hash
• client/sbom/bom.json
• docker-compose.showcase.yml
• docker-compose.yml
• execute-e2e-local.sh
• server/build.gradle
• server/sbom/.input-hash
• server/sbom/bom.json
• server/src/main/java/de/tum/cit/aet/thesis/service/ResearchGroupService.java
• server/src/main/java/de/tum/cit/aet/thesis/service/ThesisService.java
• server/src/test/java/de/tum/cit/aet/thesis/controller/ResearchGroupControllerTest.java

---

Walkthrough

Bumps Mailpit to v1.30.1 across all Docker and CI environments, upgrades frontend dependencies (Mantine, Tiptap, React, pnpm) with transitive security overrides, upgrades server Gradle plugins to Spring Boot 4.1.0 (removing manual Tomcat/Netty version pins), adds Javadoc to two service classes, and fixes local E2E serve configuration for Keycloak SSO.

Changes

Mailpit image update

Layer / File(s)	Summary
Mailpit v1.30.1 across all environments docker-compose.yml, docker-compose.showcase.yml, .github/workflows/e2e_tests.yml	axllent/mailpit image tag bumped from v1.30 to v1.30.1 in all three environment definitions.
Local E2E serve config for Keycloak SSO execute-e2e-local.sh	Static server now uses -c ../serve.e2e.json to disable cleanUrls, matching CI behaviour and preventing Keycloak silent-check-sso iframe failures.

Frontend dependency updates

Layer / File(s)	Summary
pnpm, runtime, and dev dependency bumps client/package.json	packageManager bumped to pnpm@11.7.0; Mantine → 9.3.1, Tiptap → 3.26.1, React/react-dom → 19.2.7, react-router → 7.17.0, plus Playwright, ESLint, webpack chain, vitest, prettier version bumps.
Transitive security overrides and SBOM hash client/pnpm-workspace.yaml, client/sbom/.lock-hash	Overrides added for shell-quote, launch-editor, vite, tmp, and js-yaml to address advisories; SBOM lock hash refreshed.

Server dependency and documentation updates

Layer / File(s)	Summary
Gradle plugin/dep upgrades and BOM consolidation server/build.gradle, server/sbom/.input-hash	Spring Boot → 4.1.0, Modernizer → 1.14.0, Gradle Git properties → 4.0.1, Spotless → 8.7.0; explicit ext["tomcat.version"]/ext["netty.version"] overrides removed (now covered by Spring Boot BOM); greenmail-junit5 → 2.1.9; SBOM input hash refreshed.
Javadoc additions and test formatting server/src/main/java/.../ResearchGroupService.java, server/src/main/java/.../ThesisService.java, server/src/test/.../ResearchGroupControllerTest.java	Javadoc added to updateResearchGroup, ThesisService constructor, and createThesis; test if blocks reformatted with braces (no logic change).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• ls1intum/thesis-management#1072: Also modifies server/build.gradle to manage the embedded servlet container version — directly superseded by this PR's removal of the explicit ext["tomcat.version"] override.
• ls1intum/thesis-management#1069: Established the SBOM caching workflow that produces client/sbom/.lock-hash and server/sbom/.input-hash, both of which are refreshed here.
• ls1intum/thesis-management#1029: Introduced the pnpm migration in client/package.json and client/pnpm-workspace.yaml that this PR builds on with further version bumps and overrides.

Suggested labels

ready for review

Suggested reviewers

• Claudia-Anthropica

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main objective of the PR—updating dependencies across client and server components—which is the primary focus of all changes.
Docstring Coverage	✅ Passed	Docstring coverage is 83.33% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/dependency-updates-security

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates client/server dependencies and supporting tooling/config so builds and tests continue to pass, including adjustments for local e2e runs and regenerated SBOM artifacts.

Changes:

• Bump Spring Boot (server) and multiple client runtime/dev dependencies (Mantine/TipTap/React/router, ESLint/Vitest/Webpack toolchain, etc.).
• Update local e2e runner to serve the production client bundle with an e2e-specific serve config.
• Refresh SBOM outputs and pin Mailpit Docker images to a patch release.

Reviewed changes

Copilot reviewed 12 out of 15 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
server/src/test/java/de/tum/cit/aet/thesis/controller/ResearchGroupControllerTest.java	Reformats test conditionals to satisfy braces/style rules.
server/src/main/java/de/tum/cit/aet/thesis/service/ThesisService.java	Adds missing Javadoc param and method Javadoc for createThesis.
server/src/main/java/de/tum/cit/aet/thesis/service/ResearchGroupService.java	Adds method Javadoc for updateResearchGroup.
server/sbom/.input-hash	Updates SBOM input hash after dependency changes.
server/build.gradle	Bumps Gradle plugins/Spring Boot and removes no-longer-needed BOM overrides; updates test dependency.
execute-e2e-local.sh	Adjusts local e2e static serving to use e2e serve config (see PR comment for required path fix).
docker-compose.yml	Pins Mailpit image to v1.30.1.
docker-compose.showcase.yml	Pins Mailpit image to v1.30.1.
client/sbom/bom.json	Regenerated client SBOM reflecting updated dependency graph.
client/sbom/.lock-hash	Updates SBOM lock hash after dependency updates.
client/pnpm-workspace.yaml	Adds pnpm overrides to pin vulnerable transitive dependencies to fixed versions.
client/package.json	Bumps client dependencies/devDependencies and updates packageManager pnpm version.
.github/workflows/e2e_tests.yml	Pins Mailpit image to v1.30.1 for CI e2e services.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.