[Snyk] Fix for 1 vulnerabilities

[bogarin]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• pom.xml
• dropwizard/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	External Initialization of Trusted Variables or Data Stores SNYK-JAVA-CHQOSLOGBACK-15062482	376	ch.qos.logback:logback-classic: 1.2.6 -> 1.5.25 ch.qos.logback:logback-core: 1.2.6 -> 1.5.25 io.dropwizard:dropwizard-core: 2.0.0 -> 4.0.12 Major version upgrade No Known Exploit

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[Copilot]

Pull request overview

This PR addresses a security vulnerability (SNYK-JAVA-CHQOSLOGBACK-15062482) by upgrading logging and framework dependencies. The PR upgrades logback from 1.2.6 to 1.5.25 and Dropwizard from 2.0.0 to 4.0.12.

Changes:

• Upgrade logback-classic and logback-core from 1.2.6 to 1.5.25 to fix "External Initialization of Trusted Variables or Data Stores" vulnerability
• Upgrade Dropwizard from 2.0.0 to 4.0.12 (major version jump)
• Minor XML formatting improvements (converting empty tags to self-closing format)

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
pom.xml	Updates logback.version property from 1.2.6 to 1.5.25; includes minor XML formatting improvements to self-closing tags
dropwizard/pom.xml	Updates dropwizard.version property from 2.0.0 to 4.0.12 (major version upgrade); includes XML formatting improvements

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This PR upgrades Dropwizard from version 2.0.0 to 4.0.12, which represents a major version jump that skips version 3.x entirely. Major version upgrades typically introduce breaking changes and API modifications.

Before merging, you should:

1. Review the Dropwizard 3.x and 4.x migration guides and release notes to identify breaking changes
2. Verify that all Dropwizard APIs used in the codebase (Application, Configuration, ResourceConfigurationSourceProvider, Bootstrap, Environment, etc.) remain compatible
3. Run comprehensive integration and unit tests to ensure the application still functions correctly
4. Test the application's startup, health checks, and REST endpoints

The Dropwizard module uses core framework APIs that may have changed signature or behavior between versions.

[Copilot]

The logback upgrade from 1.2.6 to 1.5.25 appears to be a minor version upgrade within the 1.x series. However, verify that this version is compatible with SLF4J 1.7.32 which is currently specified in the parent POM. Logback 1.5.x may require or recommend SLF4J 2.x for optimal compatibility. Check the Logback 1.5.25 documentation to confirm SLF4J version compatibility.