Fix more errors & remove security constraints that are not needed anymore

Author: pboos

build.gradle

@@ -3,10 +3,6 @@ plugins {
     alias(libs.plugins.nexus.publish)
 }
 
-ext['spring-framework.version'] = '6.2.11'
-ext['tomcat.version'] = '11.0.12'
-ext['netty.version'] = '4.2.6.Final' // Due to security vulnerabilities in 4.125.Final and older
-
 apply from: "${rootDir}/gradle/publish-root.gradle"
 
 allprojects {
@@ -68,31 +64,6 @@ subprojects {
         annotationProcessor(libs.lombok)
         testCompileOnly(libs.lombok)
         testAnnotationProcessor(libs.lombok)
-
-        // Security constraints
-        constraints {
-            implementation("org.springframework:spring-web:6.2.12") {
-                because("versions below 6.2.11 have security vulnerabilities including CVE-2024-38820 and CVE-2025-41249 - see dependabot #12, #24")
-            }
-            implementation("org.springframework:spring-webmvc:6.2.12") {
-                because("versions below 6.2.11 have security vulnerabilities including CVE-2025-41242 and CVE-2025-41249 - see dependabot #24, #247")
-            }
-            implementation("org.apache.tomcat.embed:tomcat-embed-core:11.0.14") {
-                because("versions below 11.0.12 have security vulnerabilities including CVE-2024-56337, CVE-2025-55754, CVE-2025-61795 - see dependabot #13, #27, #28")
-            }
-            implementation("org.apache.commons:commons-lang3:3.20.0") {
-                because("versions below 3.18.0 have security vulnerabilities including CVE-2025-48924 - see dependabot #15")
-            }
-            implementation("io.projectreactor.netty:reactor-netty-http:1.3.0") {
-                because("versions below 1.2.8 have security vulnerabilities including CVE-2025-22227 - see dependabot #16")
-            }
-            implementation("io.netty:netty-codec-http2:4.2.7.Final") {
-                because("versions below 4.1.124.Final have security vulnerabilities including CVE-2025-55163 - see dependabot #17")
-            }
-            implementation("io.netty:netty-codec:4.2.7.Final") {
-                because("versions below 4.1.125.Final have security vulnerabilities including CVE-2025-58057 - see dependabot #21")
-            }
-        }
     }
 
     checkstyle {

examples/example-spring-boot-starter-web/build.gradle

@@ -5,18 +5,6 @@ plugins {
     alias(libs.plugins.openapi.generator)
 }
 
-// Needed for security. See:
-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/25
-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/7
-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/6
-// Hopefully with spring-boot 3.4.2+ this won't be needed anymore and can be removed.
-dependencyManagement {
-    dependencies {
-        dependency 'ch.qos.logback:logback-core:1.5.21'
-        dependency 'ch.qos.logback:logback-classic:1.5.21'
-    }
-}
-
 dependencies {
     implementation project(':examples:examples-common')
     implementation project(':spring-boot-starter:spring-boot-starter-web')

examples/example-spring-boot-starter-webflux/build.gradle

@@ -5,18 +5,6 @@ plugins {
     alias(libs.plugins.openapi.generator)
 }
 
-// Needed for security. See:
-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/25
-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/7
-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/6
-// Hopefully with spring-boot 3.4.2+ this won't be needed anymore and can be removed.
-dependencyManagement {
-    dependencies {
-        dependency 'ch.qos.logback:logback-core:1.5.21'
-        dependency 'ch.qos.logback:logback-classic:1.5.21'
-    }
-}
-
 dependencies {
     implementation project(':examples:examples-common')
     implementation project(':spring-boot-starter:spring-boot-starter-webflux')

examples/example-spring-boot-starter-webflux/src/main/java/com/getyourguide/openapi/validation/example/error/GlobalErrorWebExceptionHandler.java

@@ -3,9 +3,9 @@
 import com.getyourguide.openapi.validation.example.openapi.model.BadRequestResponse;
 import java.util.Optional;
 import org.springframework.boot.autoconfigure.web.WebProperties;
-import org.springframework.boot.autoconfigure.web.reactive.error.AbstractErrorWebExceptionHandler;
 import org.springframework.boot.web.error.ErrorAttributeOptions;
-import org.springframework.boot.web.reactive.error.ErrorAttributes;
+import org.springframework.boot.webflux.autoconfigure.error.AbstractErrorWebExceptionHandler;
+import org.springframework.boot.webflux.error.ErrorAttributes;
 import org.springframework.context.ApplicationContext;
 import org.springframework.core.annotation.Order;
 import org.springframework.http.HttpStatus;

spring-boot-starter/spring-boot-starter-webflux/src/main/java/com/getyourguide/openapi/validation/filter/OpenApiValidationWebFilter.java

@@ -84,8 +84,8 @@ private Mono<AlreadyDidValidation> optionalValidateRequestWithFailOnViolation(
         AlreadyDidValidation alreadyDidValidation
     ) {
         if (!trafficSelector.shouldFailOnRequestViolation(requestMetaData)
-            || !request.getHeaders().containsKey("Content-Type")
-            || !request.getHeaders().containsKey("Content-Length")) {
+            || !request.getHeaders().containsHeader("Content-Type")
+            || !request.getHeaders().containsHeader("Content-Length")) {
             return Mono.just(alreadyDidValidation);
         }