Upgrade JAXB 2.3.3 -> 4.0.5

build.gradle

@@ -67,8 +67,8 @@ allprojects {
                 driver
                 utilities
             }
-    // exclude log4j, which may come in transitively, from all configurations to avoid its potential vulnerabilities
     configurations.configureEach {
+        // exclude log4j, which may come in transitively, from all configurations to avoid its potential vulnerabilities
         exclude group: "log4j", module:"log4j"
     }
     configurations.driver.setDescription("Dependencies used for SqlUtils")
@@ -319,15 +319,16 @@ allprojects {
 
                     // Force consistency for dependencies from pipeline and query
                     force "org.dom4j:dom4j:${dom4jVersion}"
-                    // Force consistency across pipeline, SequenceAnalysis, and query
-                    force "javax.xml.bind:jaxb-api:${jaxbApiVersion}"
 
-                    // Force consistency between pipeline's ActiveMQ  and cloud's jClouds dependencies
+                    // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies
                     force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
 
                     // Force snappy-java version for CVE-2023-43642. Remove once HTSJDK bumps its preferred version.
                     force "org.xerial.snappy:snappy-java:${snappyJavaVersion}"
 
+                    // Consistency between cloud, pipeline, and query
+                    force "javax.xml.bind:jaxb-api:${jaxbApiOldVersion}"
+
                     dependencySubstitution {
                         // Because the client api artifact name is not the same as the directory structure, we use
                         // Gradle's dependency substitution so the dependency will appear correctly in the pom files that

gradle.properties

@@ -91,7 +91,7 @@ npmWorkDirectory=.node
 # gradle.properties file to declare these version numbers. Naming
 # convention is <library name>Version camel-cased, i.e. "jacksonVersion".
 
-activationVersion=2.1.2
+activationApiVersion=2.1.3
 
 annotationsVersion=15.0
 
@@ -172,6 +172,8 @@ gsonVersion=2.8.9
 grpcVersion=1.62.2
 
 guavaVersion=33.1.0-jre
+
+# Note: You won't find usages in the product sources; this property is used by the gradle plugin.
 gwtVersion=2.11.0
 gwtServletJakartaVersion=2.11.0
 # For dev builds, the targeted, single permutation browser. Can be either gwt-user-firefox, gwt-user-chrome, or gwt-user-ie
@@ -202,9 +204,13 @@ javassistVersion=3.20.0-GA
 javaMailVersion=2.0.1
 javaxAnnotationVersion=1.3.2
 
-# No longer part of Java 10. Dependency for many modules.
-jaxbApiVersion=2.3.1
-jaxbVersion=2.3.3
+# cloud, pipeline, query, and tests (sardine) use the old JAXB API and runtime versions
+jaxbApiOldVersion=2.3.1
+jaxbOldVersion=2.3.3
+
+# All other direct and indirect uses of JAXB use the current, jakarta-packaged versions
+jaxbApiVersion=4.0.2
+jaxbVersion=4.0.5
 
 jaxrpcVersion=1.1
 

server/build.gradle

@@ -29,8 +29,8 @@ BuildUtils.addLabKeyDependency(project: project, config: 'tomcatJars', depProjec
 
 dependencies
         {
-            tomcatJars  "com.sun.mail:jakarta.mail:${javaMailVersion}"
-            tomcatJars  "jakarta.activation:jakarta.activation-api:${activationVersion}" // JavaMail dependency (starting with Java 10), so it must be copied to <tomcat>/lib
+            tomcatJars "com.sun.mail:jakarta.mail:${javaMailVersion}"
+            tomcatJars "jakarta.activation:jakarta.activation-api:${activationApiVersion}" // JavaMail dependency, so it must be copied to <tomcat>/lib
             remotePipelineJars "jakarta.servlet:jakarta.servlet-api:${servletApiVersion}"
         }