Merge remote-tracking branch 'origin/develop' into fb_updateStartAndStopTasks

# Conflicts:
#	gradle.properties

Author: labkey-tchad

build.gradle

@@ -210,8 +210,6 @@ allprojects {
                     force "org.slf4j:slf4j-api:${slf4jLog4jApiVersion}"
                     // force some newer versions than are brought in by mondrian (et al.)
                     force "xerces:xercesImpl:${xercesImplVersion}"
-                    // Microsoft SQL Server JDBC driver and Duo SDK pull in different versions of byte-buddy
-                    force "net.bytebuddy:byte-buddy:${byteBuddyVersion}"
                     force "org.apache.logging.log4j:log4j-core:${log4j2Version}"
                     force "org.apache.logging.log4j:log4j-api:${log4j2Version}"
                     force "org.apache.logging.log4j:log4j-1.2-api:${log4j2Version}"
@@ -250,6 +248,8 @@ allprojects {
                     force "com.google.protobuf:protobuf-java-util:${googleProtocolBufVersion}"
                     // force version for Cloud, FileTransfer, SequenceAnalysis, etc.
                     force "com.google.code.findbugs:jsr305:${jsr305Version}"
+                    // force version used by JAXB to match api
+                    force "org.eclipse.angus:angus-activation:${angusActivationVersion}"
                     // force Jakarta Activation API version used by our Angus Activation implementation
                     force "jakarta.activation:jakarta.activation-api:${jakartaActivationApiVersion}"
                     // force version for accounts, api, query

dependencyCheckSuppression.xml

@@ -139,4 +139,29 @@
        <packageUrl regex="true">^pkg:maven/com\.google\.code\.gson/gson@.*$</packageUrl>
        <vulnerabilityName>CVE-2025-53864</vulnerabilityName>
     </suppress>
+
+    <!--
+    False positives - API jars are getting matched to old (18.3) LabKey Server releases
+    -->
+    <suppress>
+        <notes><![CDATA[
+        file name: provisioning-2.1.0-api.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.labkey\.api/provisioning@.*$</packageUrl>
+        <cpe>cpe:/a:labkey:labkey_server</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        file name: labkey-client-api-7.0.0.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.labkey\.api/labkey-client-api@.*$</packageUrl>
+        <cpe>cpe:/a:labkey:labkey_server</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        file name: labkey-api-jdbc-3.1.0-all.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.labkey\.api/labkey-api-jdbc@.*$</packageUrl>
+        <cpe>cpe:/a:labkey:labkey_server</cpe>
+    </suppress>
 </suppressions>

gradle.properties

@@ -59,8 +59,8 @@ windowsProteomicsBinariesVersion=1.0
 # The current version numbers for the gradle plugins.
 artifactoryPluginVersion=5.2.5
 gradleNodePluginVersion=7.1.0
-gradlePluginsVersion=7.1.0-updateStartAndStopTasks-SNAPSHOT
-owaspDependencyCheckPluginVersion=12.1.6
+gradlePluginsVersion=7.1.0
+owaspDependencyCheckPluginVersion=12.1.8
 versioningPluginVersion=1.1.2
 
 # Versions of node and npm to use during the build. If set, these versions
@@ -86,8 +86,8 @@ npmWorkDirectory=.node
 # convention is <library name>Version camel-cased, i.e. "jacksonVersion".
 
 # The implementation of Jakarta Activation API that we use. Keep in sync with jakartaActivationApiVersion (below).
-angusActivationVersion=2.0.2
-angusMailVersion=2.0.4
+angusActivationVersion=2.0.3
+angusMailVersion=2.0.5
 
 annotationsVersion=15.0
 
@@ -104,22 +104,20 @@ apacheTomcatVersion=10.1.46
 # (mothership) -> json-path -> json-smart -> accessor-smart
 # (core) -> graalvm
 # tika
-asmVersion=9.8
+asmVersion=9.9
 
 # Apache Batik -- Batik version needs to be compatible with Apache FOP, but we need to pull in batik-codec separately
 batikVersion=1.19
 
 # sync with Tika version (or later)
-bouncycastlePgpVersion=1.81
-bouncycastleVersion=1.81
-
-byteBuddyVersion=1.17.7
+bouncycastlePgpVersion=1.82
+bouncycastleVersion=1.82
 
 cglibNodepVersion=2.2.3
 
 checkerQualVersion=3.31.0
 
-commonmarkVersion=0.25.1
+commonmarkVersion=0.27.0
 
 # the beanutils version is not the default version brought from commons-validator and/or commons-digester
 # in the :server:api module but is required for some of our code to compile
@@ -132,7 +130,7 @@ commonsDbcpVersion=1.4
 commonsDigesterVersion=1.8.1
 commonsDiscoveryVersion=0.2
 commonsIoVersion=2.20.0
-commonsLang3Version=3.18.0
+commonsLang3Version=3.19.0
 commonsLangVersion=2.6
 commonsLoggingVersion=1.3.5
 commonsMath3Version=3.6.1
@@ -141,7 +139,7 @@ commonsTextVersion=1.14.0
 commonsValidatorVersion=1.10.0
 commonsVfs2Version=2.10.0
 
-datadogVersion=1.52.1
+datadogVersion=1.54.0
 
 dom4jVersion=2.1.4
 
@@ -157,8 +155,8 @@ fopVersion=2.11
 
 # Force latest for consistency
 googleAutoValueAnnotationsVersion=1.10.4
-googleErrorProneAnnotationsVersion=2.41.0
-googleHttpClientVersion=2.0.0
+googleErrorProneAnnotationsVersion=2.42.0
+googleHttpClientVersion=2.0.2
 googleOauthClientVersion=1.39.0
 googleProtocolBufVersion=3.25.8
 
@@ -168,9 +166,9 @@ googleProtocolBufVersion=3.25.8
 # "java.lang.NoSuchMethodError: 'void com.google.gson.internal.ConstructorConstructor.<init>(java.util.Map)'" errors
 gsonVersion=2.8.9
 
-grpcVersion=1.75.0
+grpcVersion=1.76.0
 
-guavaVersion=33.4.8-jre
+guavaVersion=33.5.0-jre
 
 # Note: You won't find usages in the product sources; this property is used by the gradle plugin.
 gwtVersion=2.12.2
@@ -184,8 +182,8 @@ hamcrestVersion=2.2
 # Note: if changing this, we might need to match with the picard version in the SequenceAnalysis module build.gradle
 htsjdkVersion=4.3.0
 
-httpclient5Version=5.5
-httpcore5Version=5.3.5
+httpclient5Version=5.5.1
+httpcore5Version=5.3.6
 
 # Not used directly, but these are widely used transitive dependencies
 httpclientVersion=4.5.14
@@ -201,7 +199,7 @@ jacksonDatabindVersion=2.20.0
 jacksonJaxrsBaseVersion=2.20.0
 
 # The Jakarta Activation API version that Angus Activation implements. Keep in sync with angusActivationVersion (above).
-jakartaActivationApiVersion=2.1.3
+jakartaActivationApiVersion=2.1.4
 
 jamaVersion=1.0.3
 
@@ -241,16 +239,16 @@ jxlVersion=2.6.3
 
 kaptchaVersion=2.3
 
-log4j2Version=2.24.3
+log4j2Version=2.25.2
 
-lombokVersion=1.18.38
+lombokVersion=1.18.42
 
-luceneVersion=9.12.2
+luceneVersion=9.12.3
 
-mssqlJdbcVersion=13.2.0.jre11
+mssqlJdbcVersion=13.2.1.jre11
 
 # force for docker
-nettyVersion=4.2.5.Final
+nettyVersion=4.2.7.Final
 
 objenesisVersion=1.0
 
@@ -267,7 +265,7 @@ poiVersion=5.4.0
 pollingWatchVersion=0.2.0
 
 # Newer versions of the driver have a perf degradation that's important for us. https://github.com/pgjdbc/pgjdbc/issues/3505
-postgresqlDriverVersion=42.7.4
+postgresqlDriverVersion=42.7.8
 
 quartzVersion=2.5.0
 
@@ -302,7 +300,7 @@ stax2ApiVersion=4.2.2
 thumbnailatorVersion=0.4.20
 
 # used for tika-core in API and tika-parsers in search
-tikaVersion=3.2.2
+tikaVersion=3.2.3
 
 # sync with Tika
 tukaaniXZVersion=1.10