Update Tika to mitigate CVE-2025-54988 and CVE-2025-66516

To do so, we also have to update slf4j, logback, and spotter.

gradle/changelog/tika.yaml

@@ -0,0 +1,2 @@
+- type: fixed
+  description: Update of Tika to mitigate CVE-2025-54988 and CVE-2025-66516

gradle/dependencies.gradle

@@ -1,5 +1,5 @@
 ext {
-  slf4jVersion = '1.7.36'
+  slf4jVersion = '2.0.17'
   guiceVersion = '7.0.0'
   resteasyVersion = '6.2.12.Final'
 
@@ -40,7 +40,7 @@ ext {
     // logging
     slf4jApi: "org.slf4j:slf4j-api:${slf4jVersion}",
     slf4jJcl: "org.slf4j:jcl-over-slf4j:${slf4jVersion}",
-    logback: 'ch.qos.logback:logback-classic:1.2.9',
+    logback: 'ch.qos.logback:logback-classic:1.5.23',
 
     // injection
     guice: "com.google.inject:guice:${guiceVersion}",
@@ -136,8 +136,8 @@ ext {
     webResources: 'com.github.sdorra:web-resources:2.0.0',
 
     // content type detection
-    spotter: 'com.cloudogu.spotter:spotter-core:4.0.0',
-    tika: 'org.apache.tika:tika-core:1.28.5',
+    spotter: 'com.cloudogu.spotter:spotter-core:4.1.0',
+    tika: 'org.apache.tika:tika-core:3.2.2',
 
     // restart on unix
     akuma: 'org.kohsuke:akuma:1.10',

yarn.lock

@@ -3148,7 +3148,7 @@
     unist-util-generated "^1.1.6"
     unist-util-visit "^2.0.3"
 
-"@scm-manager/tsconfig@^2.13.0":
+"@scm-manager/tsconfig@^2.12.0", "@scm-manager/tsconfig@^2.13.0":
   version "2.13.0"
   resolved "https://registry.npmjs.org/@scm-manager/tsconfig/-/tsconfig-2.13.0.tgz"
   integrity sha512-Tc9LZAxHUKd+yVBHcCMyRVYTBjhJez+zj+ABxiTOdZOQp/WtJ2Zt084HWxWEOyrXHI6dgo3qv+1H6P1m+UcpoQ==