[SCA] Security upgrade @org.apache.struts:struts2-core from 2.3.20 to 2.5.33

[gwnlng]

This is a PR from Snyk, initiated by the Security team, to fix 42 vulnerabilities in the dependencies of this project.

Snyk changed the following file(s):

• todolist-goof/pom.xml

Important

• This PR was automatically generated by our security tool to help you fix known vulnerabilities in your project's third-party libraries more efficiently. However, there is a possibility that these changes could introduce functional regressions or breakages. Please ensure you test this PR thoroughly before merging.
• If you have any questions or concerns, please seek support in the #sca-support Slack channel.

References:

1. Latest project report in Snyk
2. How to access Snyk via SSO?
3. Snyk knowledge base

[gwnlng]

The upgrade from Struts 2.3.20 to 2.5.33 is a major version migration with significant breaking changes that require mandatory code and configuration updates.

Key Breaking Changes:

• Java Requirement: Struts 2.5 requires Java 7 or later.
• Filter Class Relocation: The main Struts filter class must be updated in your web.xml file. It has moved from org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter to org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter.
• Logging Framework: Struts 2.5 uses Log4j2 as its logging layer, replacing the previous logging API. You will need to migrate your existing Log4j configuration to the Log4j2 format.
• Configuration DTD Update: The DTD declaration in struts.xml must be updated from version 2.3 to 2.5.
• Tag Library Changes: In JSP and FreeMarker files, the id attribute has been replaced with the var attribute for several common tags, including <s:iterator>, <s:set>, and <s:action>.
• Dropped Plugins: Support for the Dojo, Codebehind, JSF, and Struts1 plugins has been removed.
• Tiles Integration: Support for Tiles 2 has been dropped. The framework now uses Tiles 3, and the plugin has been renamed from tiles3-plugin to tiles-plugin.

Source: Struts 2.3 to 2.5 Migration Guide

Recommendation: This is a high-effort upgrade that will break your application without significant code and configuration changes. A dedicated migration effort is required to address the changes to web.xml, struts.xml, JSP/FTL files, and logging configuration before this upgrade can be merged.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[gwnlng]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.