Handle CVEs for graphql-spring-boot-autoconfigure-15.0.0.jar: subscriptions-transport-ws-browser-client.js

Lodash is directly included in the affected file subscriptions-transport-ws-browser-client.js, which in turn is part of the included graphiql version. Unfortunately the project has been archived and there will be no updates anymore. Since graphiql is a pure developer tool and only enabled in preview mode, the reported security risk is considered only moderate to low, thus CVE-2019-10744, CVE-2020-8203, CVE-2021-23337, CVE-2018-3721, CVE-2019-1010266, CVE-2018-16487, CVE-2020-28500 were suppressed.

The whole library will be replaced with CM12 version 2404 by the latest version of Spring-GraphQL, which is much better supported as a part of the Spring project and also includes a maintained and updated version of graphiql.

(CMS-24020)

Prevent exceptions when logging resource paths

Logging resource paths with org.springframework.core.io.Resource#getURI can fail on Windows development environments in some cases. To prevent such exceptions, log statements have been changed to just use the implicit toString().

(CMS-23900)

HeadlessServer: More tolerant request handling for invalid hashes on MediaController

Previously the validation on the MediaController denied requests with wrong or outdated hashes. HeadlessServer now accepts requests with wrong or outdates hashes as long as the rest of the url parameters are conclusive (id, crop name, filename, width). If this is the case HeadlessServer now responds with a HTTP 301 / Moved Permanently to the correct URL of the corresponding media, instead of a HTTP 401 / Not Found.

(CMS-23595)