OWASP now fails builds on three HIGH CVEs in transitive deps. bom 1.0.7 takes the upstream patches
(no suppressions):
postgresql 42.7.11 -> 42.7.13 CVE-2026-54291 (CVSS4 8.2) — channelBinding downgrade / MITM
httpcore5 5.3.6 -> 5.4.3 CVE-2026-54399 (7.5), CVE-2026-54428 (7.5) — DoS
httpcore5 is transitive via httpclient5; Apache ships them as a matched pair, so bom 1.0.7 bumps
httpclient5 5.5.2 -> 5.6.2 which pulls the fixed core.
Verified locally: builds and tests pass on 1.0.7.
Refs bom#6
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 1 of the guide rebuild (DESIGN.md):
- MarkdownGuideService scans content/**/*.md (frontmatter: module/title/tab/order/audience)
- GET /api/v1/guide/nav + /api/v1/guide/modules/{module}; audience gated by role
(internal tabs only for MSP_ADMIN/BCOS_ADMIN)
- Removed JPA/Flyway/Postgres, Guide entity/repo/service, admin CRUD, seed migrations
- Seed content: devices.sw-deploy (Overview/Data/Technical-internal), fleet.tasks
- Verified: boots with no DB, loads 4 docs, nav + audience filtering + 401 all correct
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>