#29112 Update minimatch and serialize-javascript to fix CVE-2026-27903, CVE-2026-27904, and GHSA-5c6j-r48x-rmvq

#28915

Update GWT to version 2.12

#29199

XSS vulnerability in /jsp/openapi/server/displayAPISpec.jsp

#28674

Security issues in the UMLJS project

#29107

StackOverflowError when rolling back in the transaction monitor

#27850

Modelleditor swallows classification with a less-than sign in the name

#29112

Update minimatch and serialize-javascript to fix CVE-2026-27903, CVE-2026-27904, and GHSA-5c6j-r48x-rmvq

#29197

Eclipse error after dependency update: maven-jar-plugin 3.5.0 causes "outside of a scoping block" error in m2e

#29110

Update dependency com.fasterxml.jackson.core:jackson-core to v2.21.1 [SECURITY]

defect

UmlJs

The minimatch dependency in com.top_logic.umljs/src-js/package-lock.json is at version 10.2.2, which is vulnerable to two ReDoS CVEs:

These are dev dependencies only (eslint, rollup toolchain) and not shipped in production, but should still be updated.

A prior fix (commit afea3c24981, Feb 24) upgraded minimatch to 10.2.2, which addressed CVE-2026-26996, but the two newer CVEs require 10.2.3+.

Fix: Update minimatch to >= 10.2.3 via npm update minimatch in com.top_logic.umljs/src-js/.