build: update plugins and dependencies

[stevecl5]

Summary of Changes

Dependency Updates

Updated plugins and other dependencies, including:

• Coppuccino 5.x -> 6.1.0
• Vogue 2.x -> 3.0.2
• httpclient 4.5.13 -> 4.5.14

By updating Coppuccino to the latest version, plugin dependency constraints are automatically included to address known vulnerabilities introduced by the plugin. As a result, manually overriding the versions of commons-lang3 and log4j-core using resolutionStrategy.eachDependency is no longer needed. As an added benefit, the new constraints set a minimum version for the vulnerable dependencies, allowing them to resolve to newer versions when available.

Dependency Cleanup & Fixes:

• SpotBugs: Removed the com.github.spotbugs:spotbugs-annotations dependency from :common, as it is now natively provided by the updated Coppuccino plugin.
• Commons Text: Locked org.apache.commons:commons-text to 1.15.0 instead of using latest.release to ensure deterministic builds and prevent breaking changes from being pulled in unintentionally.
• Gson Typo: Corrected a typo in the com.google.code.gson:gson version range (changed from [2.13.0,13.0.0) to [2.13.0,3.0.0)).
• Lombok: Removed the redundant org.projectlombok:lombok dependency from sub-projects, as it is already globally managed and provided by the io.freefair.lombok plugin.
• Java JWT: Updated the com.auth0:java-jwt dependency to [4.5.1, 5.0.0) to establish a secure floor that natively resolves legacy jackson-databind vulnerabilities without requiring manual overrides.

Gradle Project Improvements

In addition to the dependency changes, I also made significant improvements to the Gradle configuration files.

Root Project (build.gradle)

• Centralized Constraints: Updated root-level constraints block to manage all shared libraries and security overrides.
• Variable Extraction: Extracted versions for closely coupled multi-artifact libraries (like io.opentracing and org.slf4j) into ext properties to guarantee version alignment and simplify future upgrades.
• Centralized Publishing & Signing: Moved Maven Central publication and signing logic into the root subprojects block, ensuring the platform BOM publishes correctly using components.javaPlatform (previously re-defined in the platform project).
• Modernized Task Configuration: Replaced legacy afterEvaluate logic for spotlessApply and subdependencies tasks with a more performant, lazy task configuration.
• Global Toolchains: Replaced sourceCompatibility and targetCompatibility by enforcing Java 17 globally using the modern java { toolchain { ... } } API.
• Simplified Artifacts: Replaced manual package tasks and artifacts configuration with the native java { withSourcesJar(); withJavadocJar() } DSL.

Sub-Projects (common, gateway, http, messaging, etc.)

• Version Stripping: Removed all hardcoded version numbers for shared dependencies (e.g., gson, opentracing, httpclient, slf4j), allowing them to inherit coordinates natively from the root constraints.
• Scope Refinement: Corrected dependency configurations across the board. Changes include:
  • strictly using implementation for internal tools and api for exposed transitives
  • changing com.google.auto.service:auto-service to compileOnly
  • removing a redundant testImplementation dependency for org.objenesis:objenesis
• Testing Library Exports: Updated the :testing project to expose mockito, spock, and junit via api so consumers inherit the testing framework seamlessly.

Platform BOM (platform)

• Simplified BOM: Stripped out legacy Java plugin applications and redundant publishing blocks. The project now strictly uses the java-platform plugin to cleanly expose path-core project constraints to external consumers.

Public API Additions/Changes

N/A

Downstream Consumer Impact

N/A

How Has This Been Tested?

Verified that vulnerabilities are resolved without manual overrides by running snyk test --all-projects --exclude=build.

Snyk scan results

path-core % snyk test --all-projects --exclude=build

Testing /Users/steven.leighton/dev/path-core...

Organization:      mx
Package manager:   gradle
Target file:       build.gradle
Project name:      path-core
Open source:       no
Project path:      /Users/steven.leighton/dev/path-core
Licenses:          enabled

✔ Tested /Users/steven.leighton/dev/path-core for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-core...

Tested 98 dependencies for known issues, found 4 issues, 8 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       common/build.gradle
Project name:      path-core/common
Open source:       no
Project path:      /Users/steven.leighton/dev/path-core
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-core...

Tested 105 dependencies for known issues, found 4 issues, 8 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       context/build.gradle
Project name:      path-core/context
Open source:       no
Project path:      /Users/steven.leighton/dev/path-core
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-core...

Tested 121 dependencies for known issues, found 4 issues, 8 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       gateway/build.gradle
Project name:      path-core/gateway
Open source:       no
Project path:      /Users/steven.leighton/dev/path-core
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-core...

Tested 120 dependencies for known issues, found 4 issues, 8 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       gateway-generator/build.gradle
Project name:      path-core/gateway-generator
Open source:       no
Project path:      /Users/steven.leighton/dev/path-core
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-core...

Tested 122 dependencies for known issues, found 4 issues, 8 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       http/build.gradle
Project name:      path-core/http
Open source:       no
Project path:      /Users/steven.leighton/dev/path-core
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-core...

Tested 106 dependencies for known issues, found 4 issues, 8 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       messaging/build.gradle
Project name:      path-core/messaging
Open source:       no
Project path:      /Users/steven.leighton/dev/path-core
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-core...

Organization:      mx
Package manager:   gradle
Target file:       platform/build.gradle
Project name:      path-core/platform
Open source:       no
Project path:      /Users/steven.leighton/dev/path-core
Licenses:          enabled

✔ Tested /Users/steven.leighton/dev/path-core for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-core...

Tested 75 dependencies for known issues, found 3 issues, 4 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.9
    introduced by com.github.spotbugs:spotbugs@4.9.8 > net.sf.saxon:Saxon-HE@12.9

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       test-gateway-generator/build.gradle
Project name:      path-core/test-gateway-generator
Open source:       no
Project path:      /Users/steven.leighton/dev/path-core
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-core...

Tested 129 dependencies for known issues, found 4 issues, 8 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       test-gateways/build.gradle
Project name:      path-core/test-gateways
Open source:       no
Project path:      /Users/steven.leighton/dev/path-core
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-core...

Tested 115 dependencies for known issues, found 4 issues, 8 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       test-models/build.gradle
Project name:      path-core/test-models
Open source:       no
Project path:      /Users/steven.leighton/dev/path-core
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-core...

Tested 116 dependencies for known issues, found 4 issues, 8 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       testing/build.gradle
Project name:      path-core/testing
Open source:       no
Project path:      /Users/steven.leighton/dev/path-core
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-core...

Tested 92 dependencies for known issues, found 4 issues, 8 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       utilities/build.gradle
Project name:      path-core/utilities
Open source:       no
Project path:      /Users/steven.leighton/dev/path-core
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-core...

Organization:      mx
Package manager:   npm
Target file:       package-lock.json
Project name:      package.json
Open source:       no
Project path:      /Users/steven.leighton/dev/path-core
Licenses:          enabled

✔ Tested /Users/steven.leighton/dev/path-core for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.


Tested 14 projects, 11 contained vulnerable paths.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works