From 30c735d175ead6dc9e353524e2bbaba97ba4ae60 Mon Sep 17 00:00:00 2001
From: Hauke Hund <hauke.hund@hs-heilbronn.de>
Date: Tue, 26 May 2026 19:36:02 +0200
Subject: [PATCH 1/6] docker base image upgrades

---
 dsf-bpe/dsf-bpe-server-jetty/docker/Dockerfile   | 4 ++--
 dsf-docker/bpe_proxy/Dockerfile                  | 2 +-
 dsf-docker/fhir_proxy/Dockerfile                 | 2 +-
 dsf-fhir/dsf-fhir-server-jetty/docker/Dockerfile | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/dsf-bpe/dsf-bpe-server-jetty/docker/Dockerfile b/dsf-bpe/dsf-bpe-server-jetty/docker/Dockerfile
index 59dbbc118..e848beb95 100755
--- a/dsf-bpe/dsf-bpe-server-jetty/docker/Dockerfile
+++ b/dsf-bpe/dsf-bpe-server-jetty/docker/Dockerfile
@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-FROM debian:trixie-slim@sha256:4ffb3a1511099754cddc70eb1b12e50ffdb67619aa0ab6c13fcd800a78ef7c7a AS builder
+FROM debian:trixie-slim@sha256:b6e2a152f22a40ff69d92cb397223c906017e1391a73c952b588e51af8883bf8 AS builder
 WORKDIR /opt/bpe
 COPY --chown=root:2202 ./ ./
 RUN chown root:2202 ./ && \
@@ -23,7 +23,7 @@ RUN chown root:2202 ./ && \
     chmod 1775 ./log
 
 
-FROM azul/zulu-openjdk:25-jre-headless@sha256:0f843579efd505efb0a0eef1d5a816cc4523ffcad458a54a4e9e52e60c4c030a
+FROM azul/zulu-openjdk:25-jre-headless@sha256:8cec35879adc3694e3cad2a499f9527c7c788278a923363b09b096a1b28f751c
 LABEL org.opencontainers.image.source=https://github.com/datasharingframework/dsf
 LABEL org.opencontainers.image.description="DSF BPE Server"
 LABEL org.opencontainers.image.licenses="Apache License, Version 2.0"
diff --git a/dsf-docker/bpe_proxy/Dockerfile b/dsf-docker/bpe_proxy/Dockerfile
index eb9ec33e3..da5e059c1 100644
--- a/dsf-docker/bpe_proxy/Dockerfile
+++ b/dsf-docker/bpe_proxy/Dockerfile
@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-FROM httpd:2.4-alpine@sha256:968c8b4098fcecb473762b45f6c541a3b2b2cfab2caccb1edbd2cece071ef160
+FROM httpd:2.4-alpine@sha256:0136c2d4462f3b8ecc92bea70efdfef4d06523999ae8d7aa533969dea6db4576
 LABEL org.opencontainers.image.source=https://github.com/datasharingframework/dsf
 LABEL org.opencontainers.image.description="DSF BPE Reverse Proxy"
 LABEL org.opencontainers.image.licenses="Apache License, Version 2.0"
diff --git a/dsf-docker/fhir_proxy/Dockerfile b/dsf-docker/fhir_proxy/Dockerfile
index f6c608fae..7a7fe794d 100755
--- a/dsf-docker/fhir_proxy/Dockerfile
+++ b/dsf-docker/fhir_proxy/Dockerfile
@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-FROM httpd:2.4-alpine@sha256:968c8b4098fcecb473762b45f6c541a3b2b2cfab2caccb1edbd2cece071ef160
+FROM httpd:2.4-alpine@sha256:0136c2d4462f3b8ecc92bea70efdfef4d06523999ae8d7aa533969dea6db4576
 LABEL org.opencontainers.image.source=https://github.com/datasharingframework/dsf
 LABEL org.opencontainers.image.description="DSF FHIR Reverse Proxy"
 LABEL org.opencontainers.image.licenses="Apache License, Version 2.0"
diff --git a/dsf-fhir/dsf-fhir-server-jetty/docker/Dockerfile b/dsf-fhir/dsf-fhir-server-jetty/docker/Dockerfile
index 40d6acde3..1a4503eea 100755
--- a/dsf-fhir/dsf-fhir-server-jetty/docker/Dockerfile
+++ b/dsf-fhir/dsf-fhir-server-jetty/docker/Dockerfile
@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-FROM debian:trixie-slim@sha256:4ffb3a1511099754cddc70eb1b12e50ffdb67619aa0ab6c13fcd800a78ef7c7a AS builder
+FROM debian:trixie-slim@sha256:b6e2a152f22a40ff69d92cb397223c906017e1391a73c952b588e51af8883bf8 AS builder
 WORKDIR /opt/fhir
 COPY --chown=root:2101 ./ ./
 RUN chown root:2101 ./ && \
@@ -23,7 +23,7 @@ RUN chown root:2101 ./ && \
     chmod 1775 ./log
 
 
-FROM azul/zulu-openjdk:25-jre-headless@sha256:0f843579efd505efb0a0eef1d5a816cc4523ffcad458a54a4e9e52e60c4c030a
+FROM azul/zulu-openjdk:25-jre-headless@sha256:8cec35879adc3694e3cad2a499f9527c7c788278a923363b09b096a1b28f751c
 LABEL org.opencontainers.image.source=https://github.com/datasharingframework/dsf
 LABEL org.opencontainers.image.description="DSF FHIR Server"
 LABEL org.opencontainers.image.licenses="Apache License, Version 2.0"

From 55b5183557aaf93987b433cf5360f14f7915de6b Mon Sep 17 00:00:00 2001
From: Hauke Hund <hauke.hund@hs-heilbronn.de>
Date: Mon, 1 Jun 2026 12:47:22 +0200
Subject: [PATCH 2/6] fully qualified image names

---
 dsf-bpe/dsf-bpe-server-jetty/docker/Dockerfile   | 4 ++--
 dsf-docker/bpe_proxy/Dockerfile                  | 2 +-
 dsf-docker/fhir_proxy/Dockerfile                 | 2 +-
 dsf-fhir/dsf-fhir-server-jetty/docker/Dockerfile | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/dsf-bpe/dsf-bpe-server-jetty/docker/Dockerfile b/dsf-bpe/dsf-bpe-server-jetty/docker/Dockerfile
index e848beb95..dc38732ab 100755
--- a/dsf-bpe/dsf-bpe-server-jetty/docker/Dockerfile
+++ b/dsf-bpe/dsf-bpe-server-jetty/docker/Dockerfile
@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-FROM debian:trixie-slim@sha256:b6e2a152f22a40ff69d92cb397223c906017e1391a73c952b588e51af8883bf8 AS builder
+FROM docker.io/library/debian:trixie-slim@sha256:b6e2a152f22a40ff69d92cb397223c906017e1391a73c952b588e51af8883bf8 AS builder
 WORKDIR /opt/bpe
 COPY --chown=root:2202 ./ ./
 RUN chown root:2202 ./ && \
@@ -23,7 +23,7 @@ RUN chown root:2202 ./ && \
     chmod 1775 ./log
 
 
-FROM azul/zulu-openjdk:25-jre-headless@sha256:8cec35879adc3694e3cad2a499f9527c7c788278a923363b09b096a1b28f751c
+FROM docker.io/azul/zulu-openjdk:25-jre-headless@sha256:8cec35879adc3694e3cad2a499f9527c7c788278a923363b09b096a1b28f751c
 LABEL org.opencontainers.image.source=https://github.com/datasharingframework/dsf
 LABEL org.opencontainers.image.description="DSF BPE Server"
 LABEL org.opencontainers.image.licenses="Apache License, Version 2.0"
diff --git a/dsf-docker/bpe_proxy/Dockerfile b/dsf-docker/bpe_proxy/Dockerfile
index da5e059c1..60cb8e1ef 100644
--- a/dsf-docker/bpe_proxy/Dockerfile
+++ b/dsf-docker/bpe_proxy/Dockerfile
@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-FROM httpd:2.4-alpine@sha256:0136c2d4462f3b8ecc92bea70efdfef4d06523999ae8d7aa533969dea6db4576
+FROM docker.io/library/httpd:2.4-alpine@sha256:0136c2d4462f3b8ecc92bea70efdfef4d06523999ae8d7aa533969dea6db4576
 LABEL org.opencontainers.image.source=https://github.com/datasharingframework/dsf
 LABEL org.opencontainers.image.description="DSF BPE Reverse Proxy"
 LABEL org.opencontainers.image.licenses="Apache License, Version 2.0"
diff --git a/dsf-docker/fhir_proxy/Dockerfile b/dsf-docker/fhir_proxy/Dockerfile
index 7a7fe794d..15cb6c2fc 100755
--- a/dsf-docker/fhir_proxy/Dockerfile
+++ b/dsf-docker/fhir_proxy/Dockerfile
@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-FROM httpd:2.4-alpine@sha256:0136c2d4462f3b8ecc92bea70efdfef4d06523999ae8d7aa533969dea6db4576
+FROM docker.io/library/httpd:2.4-alpine@sha256:0136c2d4462f3b8ecc92bea70efdfef4d06523999ae8d7aa533969dea6db4576
 LABEL org.opencontainers.image.source=https://github.com/datasharingframework/dsf
 LABEL org.opencontainers.image.description="DSF FHIR Reverse Proxy"
 LABEL org.opencontainers.image.licenses="Apache License, Version 2.0"
diff --git a/dsf-fhir/dsf-fhir-server-jetty/docker/Dockerfile b/dsf-fhir/dsf-fhir-server-jetty/docker/Dockerfile
index 1a4503eea..3faac011b 100755
--- a/dsf-fhir/dsf-fhir-server-jetty/docker/Dockerfile
+++ b/dsf-fhir/dsf-fhir-server-jetty/docker/Dockerfile
@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-FROM debian:trixie-slim@sha256:b6e2a152f22a40ff69d92cb397223c906017e1391a73c952b588e51af8883bf8 AS builder
+FROM docker.io/library/debian:trixie-slim@sha256:b6e2a152f22a40ff69d92cb397223c906017e1391a73c952b588e51af8883bf8 AS builder
 WORKDIR /opt/fhir
 COPY --chown=root:2101 ./ ./
 RUN chown root:2101 ./ && \
@@ -23,7 +23,7 @@ RUN chown root:2101 ./ && \
     chmod 1775 ./log
 
 
-FROM azul/zulu-openjdk:25-jre-headless@sha256:8cec35879adc3694e3cad2a499f9527c7c788278a923363b09b096a1b28f751c
+FROM docker.io/azul/zulu-openjdk:25-jre-headless@sha256:8cec35879adc3694e3cad2a499f9527c7c788278a923363b09b096a1b28f751c
 LABEL org.opencontainers.image.source=https://github.com/datasharingframework/dsf
 LABEL org.opencontainers.image.description="DSF FHIR Server"
 LABEL org.opencontainers.image.licenses="Apache License, Version 2.0"

From f52de9099804c659dd7aa881074f0aa36a81acfc Mon Sep 17 00:00:00 2001
From: Hauke Hund <hauke.hund@hs-heilbronn.de>
Date: Tue, 2 Jun 2026 17:41:56 +0200
Subject: [PATCH 3/6] action version upgrades

---
 .github/workflows/build.yml | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 91958b916..4af316c2d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -51,7 +51,7 @@ jobs:
           java-version: 25
           cache: 'maven'
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -60,7 +60,7 @@ jobs:
         if: ${{ matrix.language == 'java-kotlin' }}
         run: mvn package $MVN_BATCH_MODE_FAIL_AT_END $MVN_SKIP_MOST -DskipTests
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           category: "/language:${{matrix.language}}"
 
@@ -185,18 +185,18 @@ jobs:
           name: quick_build
           path: ./
       - name: Set up Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
       - name: Build Docker image
         run:  docker build -t ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}:${{ github.sha }} ${{ matrix.image.context }}
       - name: Scan Docker image with Trivy
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
         with:
           image-ref: ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}:${{ github.sha }}
           format: 'sarif'
           output: 'trivy-results-${{ matrix.image.name }}.sarif'
           trivyignores: './.trivyignore'
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         if: always()
         with:
           sarif_file: 'trivy-results-${{ matrix.image.name }}.sarif'
@@ -232,17 +232,17 @@ jobs:
           name: quick_build
           path: ./
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
       - name: Set up Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Docker metadata
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
         id: meta
         with:
           images: ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}
@@ -257,7 +257,7 @@ jobs:
           # latest only for stable releases
           # develop builds
       - name: Build and Push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         id: push
         with:
           push: true
@@ -273,7 +273,7 @@ jobs:
       - name: Generate SBOM
         run: syft ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}@${DIGEST} -o cyclonedx-json > sbom.json
       - name: Set up cosign
-        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
       - name: Attach SBOM
         run: cosign attest --yes --predicate sbom.json --type cyclonedx ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}@${DIGEST}
       - name: Sign image

From f67e589a818dc92d4cc24a2eeb4a4b85ca0cc064 Mon Sep 17 00:00:00 2001
From: Hauke Hund <hauke.hund@hs-heilbronn.de>
Date: Tue, 2 Jun 2026 17:51:56 +0200
Subject: [PATCH 4/6] nginx version upgrade, static subnet config for all
 networks

The "internet" network must be a /28 network and thus the start ip needs
to be aligned to a multiple of 16. All other networks are /29 with start
ips aligned to multiples of 8.
---
 .../docker-compose.yml                        | 94 ++++++++++++++-----
 .../proxy/conf.d/dic1.conf                    |  2 +-
 .../proxy/conf.d/dic2.conf                    |  4 +-
 .../proxy/conf.d/dic3.conf                    |  4 +-
 .../proxy/conf.d/ttp.conf                     |  4 +-
 5 files changed, 79 insertions(+), 29 deletions(-)

diff --git a/dsf-docker-dev-setup-3dic-ttp/docker-compose.yml b/dsf-docker-dev-setup-3dic-ttp/docker-compose.yml
index 7cbd9d76b..b5378f93a 100644
--- a/dsf-docker-dev-setup-3dic-ttp/docker-compose.yml
+++ b/dsf-docker-dev-setup-3dic-ttp/docker-compose.yml
@@ -16,7 +16,7 @@
 
 services:
   proxy:
-    image: nginx:1.29
+    image: nginx:1.31
     restart: "no"
     ports:
       - 127.0.0.1:443:443
@@ -38,19 +38,19 @@ services:
       dic1-fhir-frontend:
         ipv4_address: 172.20.0.2
       dic2-fhir-frontend:
-        ipv4_address: 172.20.0.10
-      dic3-fhir-frontend:
         ipv4_address: 172.20.0.18
+      dic3-fhir-frontend:
+        ipv4_address: 172.20.0.34
       ttp-fhir-frontend:
-        ipv4_address: 172.20.0.26
+        ipv4_address: 172.20.0.50
       dic1-bpe-frontend:
-        ipv4_address: 172.20.0.34
+        ipv4_address: 172.20.0.66
       dic2-bpe-frontend:
-        ipv4_address: 172.20.0.42
+        ipv4_address: 172.20.0.82
       dic3-bpe-frontend:
-        ipv4_address: 172.20.0.50
+        ipv4_address: 172.20.0.98
       ttp-bpe-frontend:
-        ipv4_address: 172.20.0.58
+        ipv4_address: 172.20.0.114
       internet:
         aliases:
           - dic1
@@ -290,7 +290,7 @@ services:
       DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET_FILE: /run/secrets/oidc_client_dic2_fhir.secret
     networks:
       dic2-fhir-frontend:
-        ipv4_address: 172.20.0.11
+        ipv4_address: 172.20.0.19
       dic2-fhir-backend:
       internet:
     depends_on:
@@ -369,7 +369,7 @@ services:
       DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET_FILE: /run/secrets/oidc_client_dic3_fhir.secret
     networks:
       dic3-fhir-frontend:
-        ipv4_address: 172.20.0.19
+        ipv4_address: 172.20.0.35
       dic3-fhir-backend:
       internet:
     depends_on:
@@ -456,7 +456,7 @@ services:
       DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET_FILE: /run/secrets/oidc_client_ttp_fhir.secret
     networks:
       ttp-fhir-frontend:
-        ipv4_address: 172.20.0.27
+        ipv4_address: 172.20.0.51
       ttp-fhir-backend:
       internet:
     depends_on:
@@ -573,7 +573,7 @@ services:
       DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_DEFAULT_TRUST_SERVER_CERTIFICATE_CAS: /run/secrets/root_ca.crt
     networks:
       dic1-bpe-frontend:
-        ipv4_address: 172.20.0.35
+        ipv4_address: 172.20.0.67
       dic1-bpe-backend:
       internet:
       forward-proxy:
@@ -664,7 +664,7 @@ services:
       DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET_FILE: /run/secrets/oidc_client_dic2_bpe.secret
     networks:
       dic2-bpe-frontend:
-        ipv4_address: 172.20.0.43
+        ipv4_address: 172.20.0.83
       dic2-bpe-backend:
       internet:
     depends_on:
@@ -753,7 +753,7 @@ services:
       DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET_FILE: /run/secrets/oidc_client_dic3_bpe.secret
     networks:
       dic3-bpe-frontend:
-        ipv4_address: 172.20.0.51
+        ipv4_address: 172.20.0.99
       dic3-bpe-backend:
       internet:
     depends_on:
@@ -843,7 +843,7 @@ services:
       DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET_FILE: /run/secrets/oidc_client_ttp_bpe.secret
     networks:
       ttp-bpe-frontend:
-        ipv4_address: 172.20.0.59
+        ipv4_address: 172.20.0.115
       ttp-bpe-backend:
       internet:
     depends_on:
@@ -964,57 +964,107 @@ networks:
       config:
       - subnet: 172.20.0.0/29
   dic1-fhir-backend:
-  dic2-fhir-frontend:
     driver: bridge
     ipam:
       driver: default
       config:
       - subnet: 172.20.0.8/29
+  dic2-fhir-frontend:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+      - subnet: 172.20.0.16/29
   dic2-fhir-backend:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+      - subnet: 172.20.0.24/29
   dic3-fhir-frontend:
     driver: bridge
     ipam:
       driver: default
       config:
-      - subnet: 172.20.0.16/29
+      - subnet: 172.20.0.32/29
   dic3-fhir-backend:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+      - subnet: 172.20.0.40/29
   ttp-fhir-frontend:
     driver: bridge
     ipam:
       driver: default
       config:
-      - subnet: 172.20.0.24/29
+      - subnet: 172.20.0.48/29
   ttp-fhir-backend:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+      - subnet: 172.20.0.56/29
   dic1-bpe-frontend:
     driver: bridge
     ipam:
       driver: default
       config:
-      - subnet: 172.20.0.32/29
+      - subnet: 172.20.0.64/29
   dic1-bpe-backend:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+      - subnet: 172.20.0.72/29
   dic2-bpe-frontend:
     driver: bridge
     ipam:
       driver: default
       config:
-      - subnet: 172.20.0.40/29
+      - subnet: 172.20.0.80/29
   dic2-bpe-backend:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+      - subnet: 172.20.0.88/29
   dic3-bpe-frontend:
     driver: bridge
     ipam:
       driver: default
       config:
-      - subnet: 172.20.0.48/29
+      - subnet: 172.20.0.96/29
   dic3-bpe-backend:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+      - subnet: 172.20.0.104/29
   ttp-bpe-frontend:
     driver: bridge
     ipam:
       driver: default
       config:
-      - subnet: 172.20.0.56/29
+      - subnet: 172.20.0.112/29
   ttp-bpe-backend:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+      - subnet: 172.20.0.120/29
   internet:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+      - subnet: 172.20.0.128/28
   forward-proxy:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+      - subnet: 172.20.0.144/29
 
 volumes:
   postgresql:
diff --git a/dsf-docker-dev-setup-3dic-ttp/proxy/conf.d/dic1.conf b/dsf-docker-dev-setup-3dic-ttp/proxy/conf.d/dic1.conf
index 0580cae33..e7e86ae66 100644
--- a/dsf-docker-dev-setup-3dic-ttp/proxy/conf.d/dic1.conf
+++ b/dsf-docker-dev-setup-3dic-ttp/proxy/conf.d/dic1.conf
@@ -38,7 +38,7 @@ server {
 	location /bpe {
 		proxy_set_header X-ClientCert $ssl_client_escaped_cert;
 
-		proxy_pass http://172.20.0.35:8080/bpe;
+		proxy_pass http://172.20.0.67:8080/bpe;
 
 		proxy_http_version 1.1;
 		proxy_set_header Host $http_host;
diff --git a/dsf-docker-dev-setup-3dic-ttp/proxy/conf.d/dic2.conf b/dsf-docker-dev-setup-3dic-ttp/proxy/conf.d/dic2.conf
index e7cffb32d..7246c61e8 100644
--- a/dsf-docker-dev-setup-3dic-ttp/proxy/conf.d/dic2.conf
+++ b/dsf-docker-dev-setup-3dic-ttp/proxy/conf.d/dic2.conf
@@ -22,7 +22,7 @@ server {
 	location /fhir {
 		proxy_set_header X-ClientCert $ssl_client_escaped_cert;
 
-		proxy_pass http://172.20.0.11:8080/fhir;
+		proxy_pass http://172.20.0.19:8080/fhir;
 
 		proxy_http_version 1.1;
 		proxy_set_header Host $http_host;
@@ -38,7 +38,7 @@ server {
 	location /bpe {
 		proxy_set_header X-ClientCert $ssl_client_escaped_cert;
 
-		proxy_pass http://172.20.0.43:8080/bpe;
+		proxy_pass http://172.20.0.83:8080/bpe;
 
 		proxy_http_version 1.1;
 		proxy_set_header Host $http_host;
diff --git a/dsf-docker-dev-setup-3dic-ttp/proxy/conf.d/dic3.conf b/dsf-docker-dev-setup-3dic-ttp/proxy/conf.d/dic3.conf
index 2b5668b8a..3b9856925 100644
--- a/dsf-docker-dev-setup-3dic-ttp/proxy/conf.d/dic3.conf
+++ b/dsf-docker-dev-setup-3dic-ttp/proxy/conf.d/dic3.conf
@@ -22,7 +22,7 @@ server {
 	location /fhir {
 		proxy_set_header X-ClientCert $ssl_client_escaped_cert;
 
-		proxy_pass http://172.20.0.19:8080/fhir;
+		proxy_pass http://172.20.0.35:8080/fhir;
 
 		proxy_http_version 1.1;
 		proxy_set_header Host $http_host;
@@ -38,7 +38,7 @@ server {
 	location /bpe {
 		proxy_set_header X-ClientCert $ssl_client_escaped_cert;
 
-		proxy_pass http://172.20.0.51:8080/bpe;
+		proxy_pass http://172.20.0.99:8080/bpe;
 
 		proxy_http_version 1.1;
 		proxy_set_header Host $http_host;
diff --git a/dsf-docker-dev-setup-3dic-ttp/proxy/conf.d/ttp.conf b/dsf-docker-dev-setup-3dic-ttp/proxy/conf.d/ttp.conf
index da3d7d9fc..7fd6b7c49 100644
--- a/dsf-docker-dev-setup-3dic-ttp/proxy/conf.d/ttp.conf
+++ b/dsf-docker-dev-setup-3dic-ttp/proxy/conf.d/ttp.conf
@@ -22,7 +22,7 @@ server {
 	location /fhir {
 		proxy_set_header X-ClientCert $ssl_client_escaped_cert;
 
-		proxy_pass http://172.20.0.27:8080/fhir;
+		proxy_pass http://172.20.0.51:8080/fhir;
 
 		proxy_http_version 1.1;
 		proxy_set_header Host $http_host;
@@ -38,7 +38,7 @@ server {
 	location /bpe {
 		proxy_set_header X-ClientCert $ssl_client_escaped_cert;
 
-		proxy_pass http://172.20.0.59:8080/bpe;
+		proxy_pass http://172.20.0.115:8080/bpe;
 
 		proxy_http_version 1.1;
 		proxy_set_header Host $http_host;

From ac2a29f9c442620d9b1536b5a80e092e6ee2c50f Mon Sep 17 00:00:00 2001
From: Hauke Hund <hauke.hund@hs-heilbronn.de>
Date: Tue, 2 Jun 2026 18:10:53 +0200
Subject: [PATCH 5/6] changed level of log message from warning to debug

The log message is produced during delete and deletePermanently
authorization checks. The warning was generated for every
deletePermanently operation and reflects an expected status.
---
 .../java/dev/dsf/fhir/dao/jdbc/AbstractResourceDaoJdbc.java     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dsf-fhir/dsf-fhir-server/src/main/java/dev/dsf/fhir/dao/jdbc/AbstractResourceDaoJdbc.java b/dsf-fhir/dsf-fhir-server/src/main/java/dev/dsf/fhir/dao/jdbc/AbstractResourceDaoJdbc.java
index f5ff2763a..8db9e7a7a 100755
--- a/dsf-fhir/dsf-fhir-server/src/main/java/dev/dsf/fhir/dao/jdbc/AbstractResourceDaoJdbc.java
+++ b/dsf-fhir/dsf-fhir-server/src/main/java/dev/dsf/fhir/dao/jdbc/AbstractResourceDaoJdbc.java
@@ -523,7 +523,7 @@ public Optional<R> readIncludingDeletedWithTransaction(Connection connection, UU
 				if (result.next())
 				{
 					if (preparedStatementFactory.getReadByIdDeleted(result) != null)
-						logger.warn("{} with IdPart {} found, but marked as deleted", resourceTypeName, uuid);
+						logger.debug("{} with IdPart {} found, but marked as deleted", resourceTypeName, uuid);
 					else
 						logger.debug("{} with IdPart {} found", resourceTypeName, uuid);
 

From 06865e9f39850c405f530f8120b877051b4e2d3f Mon Sep 17 00:00:00 2001
From: Hauke Hund <hauke.hund@hs-heilbronn.de>
Date: Tue, 2 Jun 2026 20:24:52 +0200
Subject: [PATCH 6/6] dependency and maven plugin version upgrades, related
 code changes

cleaned up not needed com.auth0:java-jwt dependencies
---
 dsf-bpe/dsf-bpe-process-api-v1-base/pom.xml   |  6 +++
 .../dsf-bpe-process-api-v1-operaton/pom.xml   |  6 +++
 dsf-bpe/dsf-bpe-process-api-v1/pom.xml        |  6 +++
 dsf-bpe/dsf-bpe-process-api-v2-impl/pom.xml   |  5 --
 dsf-bpe/dsf-bpe-process-api-v2/pom.xml        |  6 +++
 dsf-bpe/dsf-bpe-process-api/pom.xml           | 10 ++--
 dsf-bpe/dsf-bpe-server/pom.xml                |  5 ++
 dsf-common/dsf-common-auth/pom.xml            |  6 +++
 dsf-common/dsf-common-config/pom.xml          |  6 +++
 .../dsf-common-docker-secrets-reader/pom.xml  |  6 +++
 .../common/logging/Log4jConfiguration.java    | 25 +++++-----
 .../dsf/common/logging/Log4jInitializer.java  |  4 +-
 dsf-common/dsf-common-status/pom.xml          |  6 +++
 dsf-maven/dsf-maven-plugin/pom.xml            |  6 +++
 pom.xml                                       | 50 +++++++++----------
 15 files changed, 103 insertions(+), 50 deletions(-)

diff --git a/dsf-bpe/dsf-bpe-process-api-v1-base/pom.xml b/dsf-bpe/dsf-bpe-process-api-v1-base/pom.xml
index a6b2dd82d..ac6384d02 100644
--- a/dsf-bpe/dsf-bpe-process-api-v1-base/pom.xml
+++ b/dsf-bpe/dsf-bpe-process-api-v1-base/pom.xml
@@ -41,6 +41,12 @@
 		<dependency>
 			<groupId>org.springframework</groupId>
 			<artifactId>spring-context</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>commons-logging</groupId>
+					<artifactId>commons-logging</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
diff --git a/dsf-bpe/dsf-bpe-process-api-v1-operaton/pom.xml b/dsf-bpe/dsf-bpe-process-api-v1-operaton/pom.xml
index 95816cf97..d578bdc92 100644
--- a/dsf-bpe/dsf-bpe-process-api-v1-operaton/pom.xml
+++ b/dsf-bpe/dsf-bpe-process-api-v1-operaton/pom.xml
@@ -49,6 +49,12 @@
 		<dependency>
 			<groupId>org.springframework</groupId>
 			<artifactId>spring-context</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>commons-logging</groupId>
+					<artifactId>commons-logging</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
diff --git a/dsf-bpe/dsf-bpe-process-api-v1/pom.xml b/dsf-bpe/dsf-bpe-process-api-v1/pom.xml
index 328e41ef5..ce2a3c3a1 100644
--- a/dsf-bpe/dsf-bpe-process-api-v1/pom.xml
+++ b/dsf-bpe/dsf-bpe-process-api-v1/pom.xml
@@ -50,6 +50,12 @@
 		<dependency>
 			<groupId>org.springframework</groupId>
 			<artifactId>spring-context</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>commons-logging</groupId>
+					<artifactId>commons-logging</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
diff --git a/dsf-bpe/dsf-bpe-process-api-v2-impl/pom.xml b/dsf-bpe/dsf-bpe-process-api-v2-impl/pom.xml
index a04f585fb..2e938fb24 100644
--- a/dsf-bpe/dsf-bpe-process-api-v2-impl/pom.xml
+++ b/dsf-bpe/dsf-bpe-process-api-v2-impl/pom.xml
@@ -88,11 +88,6 @@
 			<version>${hapi.fhir.version.v2}</version>
 		</dependency>
 
-		<dependency>
-			<groupId>com.auth0</groupId>
-			<artifactId>java-jwt</artifactId>
-		</dependency>
-		
 		<dependency>
 			<groupId>de.hs-heilbronn.mi</groupId>
 			<artifactId>crypto-utils</artifactId>
diff --git a/dsf-bpe/dsf-bpe-process-api-v2/pom.xml b/dsf-bpe/dsf-bpe-process-api-v2/pom.xml
index 0fc973937..0b46f69ca 100644
--- a/dsf-bpe/dsf-bpe-process-api-v2/pom.xml
+++ b/dsf-bpe/dsf-bpe-process-api-v2/pom.xml
@@ -57,6 +57,12 @@
 		<dependency>
 			<groupId>org.springframework</groupId>
 			<artifactId>spring-context</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>commons-logging</groupId>
+					<artifactId>commons-logging</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
diff --git a/dsf-bpe/dsf-bpe-process-api/pom.xml b/dsf-bpe/dsf-bpe-process-api/pom.xml
index 0205d2748..f8352bfa5 100644
--- a/dsf-bpe/dsf-bpe-process-api/pom.xml
+++ b/dsf-bpe/dsf-bpe-process-api/pom.xml
@@ -46,10 +46,12 @@
 		<dependency>
 			<groupId>org.springframework</groupId>
 			<artifactId>spring-context</artifactId>
-		</dependency>
-		<dependency>
-			<groupId>com.auth0</groupId>
-			<artifactId>java-jwt</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>commons-logging</groupId>
+					<artifactId>commons-logging</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 	</dependencies>
 </project>
\ No newline at end of file
diff --git a/dsf-bpe/dsf-bpe-server/pom.xml b/dsf-bpe/dsf-bpe-server/pom.xml
index 30c57b695..0dde1acd7 100755
--- a/dsf-bpe/dsf-bpe-server/pom.xml
+++ b/dsf-bpe/dsf-bpe-server/pom.xml
@@ -216,6 +216,11 @@
 			<artifactId>bcmail-jdk18on</artifactId>
 		</dependency>
 
+		<dependency>
+			<groupId>com.auth0</groupId>
+			<artifactId>java-jwt</artifactId>
+		</dependency>
+
 		<dependency>
 			<groupId>com.icegreen</groupId>
 			<artifactId>greenmail-junit4</artifactId>
diff --git a/dsf-common/dsf-common-auth/pom.xml b/dsf-common/dsf-common-auth/pom.xml
index a7b809b77..61d33f97b 100644
--- a/dsf-common/dsf-common-auth/pom.xml
+++ b/dsf-common/dsf-common-auth/pom.xml
@@ -64,6 +64,12 @@
 		<dependency>
 			<groupId>org.springframework</groupId>
 			<artifactId>spring-beans</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>commons-logging</groupId>
+					<artifactId>commons-logging</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
diff --git a/dsf-common/dsf-common-config/pom.xml b/dsf-common/dsf-common-config/pom.xml
index 5f5f2b5b4..fbee5a783 100644
--- a/dsf-common/dsf-common-config/pom.xml
+++ b/dsf-common/dsf-common-config/pom.xml
@@ -36,6 +36,12 @@
 		<dependency>
 			<groupId>org.springframework</groupId>
 			<artifactId>spring-beans</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>commons-logging</groupId>
+					<artifactId>commons-logging</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>de.hs-heilbronn.mi</groupId>
diff --git a/dsf-common/dsf-common-docker-secrets-reader/pom.xml b/dsf-common/dsf-common-docker-secrets-reader/pom.xml
index 87ac31219..0659f22b7 100644
--- a/dsf-common/dsf-common-docker-secrets-reader/pom.xml
+++ b/dsf-common/dsf-common-docker-secrets-reader/pom.xml
@@ -36,6 +36,12 @@
 		<dependency>
 			<groupId>org.springframework</groupId>
 			<artifactId>spring-core</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>commons-logging</groupId>
+					<artifactId>commons-logging</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>org.slf4j</groupId>
diff --git a/dsf-common/dsf-common-jetty/src/main/java/dev/dsf/common/logging/Log4jConfiguration.java b/dsf-common/dsf-common-jetty/src/main/java/dev/dsf/common/logging/Log4jConfiguration.java
index e8c9ca909..3e08ab356 100644
--- a/dsf-common/dsf-common-jetty/src/main/java/dev/dsf/common/logging/Log4jConfiguration.java
+++ b/dsf-common/dsf-common-jetty/src/main/java/dev/dsf/common/logging/Log4jConfiguration.java
@@ -60,17 +60,17 @@ public Log4jTextLayout(boolean color)
 		public StringLayout consoleLayout(Configuration configuration)
 		{
 			if (color)
-				return PatternLayout.newBuilder().withPattern(
+				return PatternLayout.newBuilder().setPattern(
 						"%highlight{%p %t - %C{1}.%M(%L) | %m}{FATAL=red, ERROR=red, WARN=yellow, INFO=white, DEBUG=white, TRACE=white}%n")
 						.build();
 			else
-				return PatternLayout.newBuilder().withPattern("%p %t - %C{1}.%M(%L) | %m%n").build();
+				return PatternLayout.newBuilder().setPattern("%p %t - %C{1}.%M(%L) | %m%n").build();
 		}
 
 		@Override
 		public StringLayout fileLayout(Configuration configuration)
 		{
-			return PatternLayout.newBuilder().withPattern("%d [%t] %-5p %c - %m%n").build();
+			return PatternLayout.newBuilder().setPattern("%d [%t] %-5p %c - %m%n").build();
 		}
 	}
 
@@ -87,17 +87,17 @@ public Log4jTextMdcLayout(boolean color)
 		public StringLayout consoleLayout(Configuration configuration)
 		{
 			if (color)
-				return PatternLayout.newBuilder().withPattern(
+				return PatternLayout.newBuilder().setPattern(
 						"%highlight{%p %t - %C{1}.%M(%L)%notEmpty{ - %X} | %m}{FATAL=red, ERROR=red, WARN=yellow, INFO=white, DEBUG=white, TRACE=white}%n")
 						.build();
 			else
-				return PatternLayout.newBuilder().withPattern("%p %t - %C{1}.%M(%L)%notEmpty{ - %X} | %m%n").build();
+				return PatternLayout.newBuilder().setPattern("%p %t - %C{1}.%M(%L)%notEmpty{ - %X} | %m%n").build();
 		}
 
 		@Override
 		public StringLayout fileLayout(Configuration configuration)
 		{
-			return PatternLayout.newBuilder().withPattern("%d [%t] %-5p %c%notEmpty{ - %X} - %m%n").build();
+			return PatternLayout.newBuilder().setPattern("%d [%t] %-5p %c%notEmpty{ - %X} - %m%n").build();
 		}
 	}
 
@@ -180,11 +180,10 @@ public Log4jConfiguration(LoggerContext loggerContext, String name, String fileN
 
 		if (fileEnabled)
 		{
-			Appender file = RollingFileAppender.newBuilder().setName("FILE")
-					.withFileName("log/" + fileNamePart + ".log")
-					.withFilePattern("log/" + fileNamePart + "_%d{yyyy-MM-dd}_%i.log.gz").setIgnoreExceptions(false)
+			Appender file = RollingFileAppender.newBuilder().setName("FILE").setFileName("log/" + fileNamePart + ".log")
+					.setFilePattern("log/" + fileNamePart + "_%d{yyyy-MM-dd}_%i.log.gz").setIgnoreExceptions(false)
 					.setLayout(fileLayout.fileLayout(this))
-					.withPolicy(CompositeTriggeringPolicy.createPolicy(OnStartupTriggeringPolicy.createPolicy(1),
+					.setPolicy(CompositeTriggeringPolicy.createPolicy(OnStartupTriggeringPolicy.createPolicy(1),
 							TimeBasedTriggeringPolicy.newBuilder().build()))
 					.build();
 			addAppender(file);
@@ -246,10 +245,10 @@ private Appender createFileAppender(String appenderName, String fileNamePart, St
 			return null;
 
 		return RollingFileAppender.newBuilder().setName(appenderName + ".FILE")
-				.withFileName("log/" + fileNamePart + ".log")
-				.withFilePattern("log/" + fileNamePart + "_%d{yyyy-MM-dd}_%i.log.gz").setIgnoreExceptions(false)
+				.setFileName("log/" + fileNamePart + ".log")
+				.setFilePattern("log/" + fileNamePart + "_%d{yyyy-MM-dd}_%i.log.gz").setIgnoreExceptions(false)
 				.setLayout(layout)
-				.withPolicy(CompositeTriggeringPolicy.createPolicy(OnStartupTriggeringPolicy.createPolicy(1),
+				.setPolicy(CompositeTriggeringPolicy.createPolicy(OnStartupTriggeringPolicy.createPolicy(1),
 						TimeBasedTriggeringPolicy.newBuilder().build()))
 				.build();
 	}
diff --git a/dsf-common/dsf-common-jetty/src/main/java/dev/dsf/common/logging/Log4jInitializer.java b/dsf-common/dsf-common-jetty/src/main/java/dev/dsf/common/logging/Log4jInitializer.java
index 0ed1b28da..f3952d201 100644
--- a/dsf-common/dsf-common-jetty/src/main/java/dev/dsf/common/logging/Log4jInitializer.java
+++ b/dsf-common/dsf-common-jetty/src/main/java/dev/dsf/common/logging/Log4jInitializer.java
@@ -240,9 +240,9 @@ else if (STYLE_JSON_LOGSTASH.equalsIgnoreCase(value))
 			return configuration -> JsonTemplateLayout.newBuilder().setConfiguration(configuration)
 					.setEventTemplateUri(TemplateUri.LOGSTASH.getUri()).build();
 		else if (STYLE_TEXT.equalsIgnoreCase(value))
-			return _ -> PatternLayout.newBuilder().withPattern("%d %m%n").build();
+			return _ -> PatternLayout.newBuilder().setPattern("%d %m%n").build();
 		else if (STYLE_TEXT_MDC.equalsIgnoreCase(value))
-			return _ -> PatternLayout.newBuilder().withPattern("%d%notEmpty{ %X} %m%n").build();
+			return _ -> PatternLayout.newBuilder().setPattern("%d%notEmpty{ %X} %m%n").build();
 		else
 			throw new IllegalArgumentException(
 					"Value '" + value + "' for " + PREFIX + parameter + POSTFIX_STYLE + " not supported");
diff --git a/dsf-common/dsf-common-status/pom.xml b/dsf-common/dsf-common-status/pom.xml
index b8a03f6e1..c4bbcd592 100644
--- a/dsf-common/dsf-common-status/pom.xml
+++ b/dsf-common/dsf-common-status/pom.xml
@@ -48,6 +48,12 @@
 		<dependency>
 			<groupId>org.springframework</groupId>
 			<artifactId>spring-context</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>commons-logging</groupId>
+					<artifactId>commons-logging</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>org.apache.commons</groupId>
diff --git a/dsf-maven/dsf-maven-plugin/pom.xml b/dsf-maven/dsf-maven-plugin/pom.xml
index fa6486a2f..13fd1c11b 100644
--- a/dsf-maven/dsf-maven-plugin/pom.xml
+++ b/dsf-maven/dsf-maven-plugin/pom.xml
@@ -138,6 +138,12 @@
 		<dependency>
 			<groupId>org.springframework</groupId>
 			<artifactId>spring-core</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>commons-logging</groupId>
+					<artifactId>commons-logging</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 	</dependencies>
 
diff --git a/pom.xml b/pom.xml
index 0ab5b8de4..09cc5d04b 100755
--- a/pom.xml
+++ b/pom.xml
@@ -38,14 +38,14 @@
 
 		<main.basedir>${project.basedir}</main.basedir>
 
-		<slf4j.version>2.0.17</slf4j.version>
-		<log4j.version>2.25.4</log4j.version>
-		<jetty.version>12.1.8</jetty.version>
+		<slf4j.version>2.0.18</slf4j.version>
+		<log4j.version>2.26.0</log4j.version>
+		<jetty.version>12.1.10</jetty.version>
 		<jersey.version>3.1.11</jersey.version>
 		<tyrus.version>2.2.2</tyrus.version>
-		<spring.version>6.2.18</spring.version>
-		<jackson.version>2.21.2</jackson.version>
-		<operaton.version>1.1.1</operaton.version>
+		<spring.version>7.0.7</spring.version>
+		<jackson.version>2.21.4</jackson.version>
+		<operaton.version>2.1.1</operaton.version>
 		<hapi.fhir.version.v1>5.1.0</hapi.fhir.version.v1>
 		<hapi.fhir.version.v2>8.4.2</hapi.fhir.version.v2>
 		<hapi.fhir.org.hl7.version.v2>6.5.27</hapi.fhir.org.hl7.version.v2>
@@ -183,7 +183,7 @@
 			<dependency>
 				<groupId>org.postgresql</groupId>
 				<artifactId>postgresql</artifactId>
-				<version>42.7.10</version>
+				<version>42.7.11</version>
 			</dependency>
 			<dependency>
 				<groupId>org.checkerframework</groupId>
@@ -193,7 +193,7 @@
 			<dependency>
 				<groupId>com.github.ben-manes.caffeine</groupId>
 				<artifactId>caffeine</artifactId>
-				<version>3.2.3</version>
+				<version>3.2.4</version>
 			</dependency>
 
 			<dependency>
@@ -205,7 +205,7 @@
 			<dependency>
 				<groupId>com.auth0</groupId>
 				<artifactId>java-jwt</artifactId>
-				<version>4.5.1</version>
+				<version>4.5.2</version>
 			</dependency>
 
 			<dependency>
@@ -293,8 +293,6 @@
 			<dependency>
 				<groupId>com.fasterxml.jackson.core</groupId>
 				<artifactId>jackson-annotations</artifactId>
-				<!-- TODO change back to ${jackson.version} when
-				jackson-annotations has same version as other jackson libs -->
 				<version>2.21</version>
 			</dependency>
 			<dependency>
@@ -334,7 +332,7 @@
 			<dependency>
 				<groupId>org.glassfish.jaxb</groupId>
 				<artifactId>jaxb-runtime</artifactId>
-				<version>4.0.7</version>
+				<version>4.0.9</version>
 			</dependency>
 
 			<!-- spring -->
@@ -448,17 +446,17 @@
 			<dependency>
 				<groupId>com.google.code.gson</groupId>
 				<artifactId>gson</artifactId>
-				<version>2.13.2</version>
+				<version>2.14.0</version>
 			</dependency>
 			<dependency>
 				<groupId>org.thymeleaf</groupId>
 				<artifactId>thymeleaf</artifactId>
-				<version>3.1.4.RELEASE</version>
+				<version>3.1.5.RELEASE</version>
 			</dependency>
 			<dependency>
 				<groupId>com.nimbusds</groupId>
 				<artifactId>nimbus-jose-jwt</artifactId>
-				<version>10.9</version>
+				<version>10.9.1</version>
 			</dependency>
 			<dependency>
 				<groupId>org.fhir</groupId>
@@ -469,12 +467,12 @@
 			<dependency>
 				<groupId>commons-io</groupId>
 				<artifactId>commons-io</artifactId>
-				<version>2.21.0</version>
+				<version>2.22.0</version>
 			</dependency>
 			<dependency>
 				<groupId>commons-codec</groupId>
 				<artifactId>commons-codec</artifactId>
-				<version>1.21.0</version>
+				<version>1.22.0</version>
 			</dependency>
 
 			<dependency>
@@ -508,25 +506,25 @@
 			<dependency>
 				<groupId>org.ow2.asm</groupId>
 				<artifactId>asm</artifactId>
-				<version>9.9.1</version>
+				<version>9.10.1</version>
 			</dependency>
 
 			<dependency>
 				<groupId>org.apache.tika</groupId>
 				<artifactId>tika-core</artifactId>
-				<version>3.3.0</version>
+				<version>3.3.1</version>
 			</dependency>
 
 			<!-- maven plugin -->
 			<dependency>
 				<groupId>org.apache.maven</groupId>
 				<artifactId>maven-core</artifactId>
-				<version>3.9.15</version>
+				<version>3.9.16</version>
 			</dependency>
 			<dependency>
 				<groupId>org.apache.maven</groupId>
 				<artifactId>maven-plugin-api</artifactId>
-				<version>3.9.15</version>
+				<version>3.9.16</version>
 			</dependency>
 			<dependency>
 				<groupId>org.apache.maven.plugin-tools</groupId>
@@ -574,12 +572,12 @@
 				<plugin>
 					<groupId>org.apache.maven.plugins</groupId>
 					<artifactId>maven-surefire-plugin</artifactId>
-					<version>3.5.5</version>
+					<version>3.5.6</version>
 				</plugin>
 				<plugin>
 					<groupId>org.apache.maven.plugins</groupId>
 					<artifactId>maven-failsafe-plugin</artifactId>
-					<version>3.5.5</version>
+					<version>3.5.6</version>
 				</plugin>
 				<plugin>
 					<groupId>org.apache.maven.plugins</groupId>
@@ -609,7 +607,7 @@
 				<plugin>
 					<groupId>org.apache.maven.plugins</groupId>
 					<artifactId>maven-dependency-plugin</artifactId>
-					<version>3.10.0</version>
+					<version>3.11.0</version>
 				</plugin>
 				<plugin>
 					<groupId>org.codehaus.mojo</groupId>
@@ -624,12 +622,12 @@
 				<plugin>
 					<groupId>org.apache.maven.plugins</groupId>
 					<artifactId>maven-enforcer-plugin</artifactId>
-					<version>3.6.2</version>
+					<version>3.6.3</version>
 				</plugin>
 				<plugin>
 					<groupId>org.apache.maven.plugins</groupId>
 					<artifactId>maven-site-plugin</artifactId>
-					<version>3.21.0</version>
+					<version>3.22.0</version>
 				</plugin>
 				<plugin>
 					<groupId>com.github.spotbugs</groupId>