From e5cd83a9371ca4e2495dd9c308b7f0bc151e0dc5 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Wed, 3 Dec 2025 16:18:26 -0800
Subject: [PATCH] Bump lz4 library to 1.8.1

---
 tcrdb/build.gradle      | 9 +++++++++
 tcrdb/gradle.properties | 1 +
 2 files changed, 10 insertions(+)

diff --git a/tcrdb/build.gradle b/tcrdb/build.gradle
index 8218384ef..f22702e73 100644
--- a/tcrdb/build.gradle
+++ b/tcrdb/build.gradle
@@ -5,6 +5,15 @@ repositories {
    mavenCentral()
 }
 
+configurations.all {
+    resolutionStrategy {
+        // Related to: https://nvd.nist.gov/vuln/detail/CVE-2025-12183
+        dependencySubstitution {
+            substitute module('org.lz4:lz4-java') using module("at.yawk.lz4:lz4-java:${lz4Version}")
+        }
+    }
+}
+
 dependencies {
    BuildUtils.addLabKeyDependency(project: project, config: "implementation", depProjectPath: ":server:modules:DiscvrLabKeyModules:singlecell", depProjectConfig: "apiJarFile")
    BuildUtils.addLabKeyDependency(project: project, config: "implementation", depProjectPath: ":server:modules:DiscvrLabKeyModules:SequenceAnalysis", depProjectConfig: "apiJarFile")
diff --git a/tcrdb/gradle.properties b/tcrdb/gradle.properties
index 50708a527..a8367a182 100644
--- a/tcrdb/gradle.properties
+++ b/tcrdb/gradle.properties
@@ -1 +1,2 @@
+lz4Version=1.8.1
 repseqVersion=1.7.0
\ No newline at end of file