Bump org.postgresql:postgresql from 42.7.7 to 42.7.8

Bumps [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc) from 42.7.7 to 42.7.8. - [Release notes](https://github.com/pgjdbc/pgjdbc/releases) - [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md) - [Commits](https://github.com/pgjdbc/pgjdbc/compare/REL42.7.7...REL42.7.8) --- updated-dependencies: - dependency-name: org.postgresql:postgresql dependency-version: 42.7.8 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Merge pull request #11365 from DSpace/dependabot/maven/spring-268f5d34da
2025-10-07 10:04:21 +00:00 · 2025-10-06 19:56:30 +00:00 · 2025-10-06 13:36:57 -05:00 · 2025-10-06 13:32:22 -05:00 · 2025-10-06 13:30:16 -05:00 · 2025-10-06 13:26:29 -05:00
297 changed files with 8368 additions and 4863 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -4,7 +4,6 @@
 */target/
 dspace/modules/*/target/
 Dockerfile.*
-dspace/src/main/docker/dspace-postgres-pgcrypto
-dspace/src/main/docker/dspace-postgres-pgcrypto-curl
+dspace/src/main/docker/dspace-postgres-loadsql
 dspace/src/main/docker/README.md
 dspace/src/main/docker-compose/
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -11,8 +11,9 @@ updates:
  # So, only this first section can include "applies-to: security-updates"
  - package-ecosystem: "maven"
    directory: "/"
+    # Monthly dependency updates (NOTE: "schedule" doesn't apply to security updates)
    schedule:
-      interval: "weekly"
+      interval: "monthly"
      time: "02:00"
    # Allow up to 10 open PRs for dependencies
    open-pull-requests-limit: 10
@@ -29,7 +30,7 @@ updates:
        - "com.google.code.findbugs:*"
        - "com.google.errorprone:*"
        - "com.puppycrawl.tools:checkstyle"
-        - "org.sonatype.plugins:*"
+        - "org.sonatype.*:*"
        exclude-patterns:
        # Exclude anything from Spring, as that is in a separate group
        - "org.springframework.*:*"
@@ -44,9 +45,11 @@ updates:
        - "com.h2database:*"
        - "io.findify:s3mock*"
        - "io.netty:*"
+        - "org.apache.httpcomponents.client5:*"
        - "org.hamcrest:*"
        - "org.mock-server:*"
        - "org.mockito:*"
+        - "org.xmlunit:*"
        update-types:
        - "minor"
        - "patch"
@@ -74,7 +77,6 @@ updates:
        patterns:
        - "org.hibernate.*:*"
        update-types:
-        - "minor"
        - "patch"
      # Group together all Jakarta deps in a single PR
      jakarta:
@@ -104,21 +106,36 @@ updates:
        update-types:
        - "minor"
        - "patch"
+      # Group Tika, bouncycastle, and asm because they are tightly integrated
+      # and we theoretically want to keep them in sync.
+      tika:
+        applies-to: version-updates
+        patterns:
+        - "org.apache.tika:*:*"
+        - "org.bouncycastle:*:*"
+        - "org.ow2.asm:*:*"
+        update-types:
+        - "minor"
+        - "patch"
    ignore:
      # Don't try to auto-update any DSpace dependencies
      - dependency-name: "org.dspace:*"
      - dependency-name: "org.dspace.*:*"
+      # Ignore major/minor updates for Hibernate. Only patch updates can be automated.
+      - dependency-name: "org.hibernate.*:*"
+        update-types: ["version-update:semver-major", "version-update:semver-minor"]
      # Ignore all major version updates for all dependencies. We'll only automate minor/patch updates.
      - dependency-name: "*"
        update-types: ["version-update:semver-major"]
  ######################
-  ## dspace-8_x branch
+  ## dspace-9_x branch
  ######################
  - package-ecosystem: "maven"
    directory: "/"
-    target-branch: dspace-8_x
+    target-branch: dspace-9_x
    schedule:
-      interval: "weekly"
+      interval: "monthly"
+      time: "02:00"
    # Allow up to 10 open PRs for dependencies
    open-pull-requests-limit: 10
    # Group together some upgrades in a single PR
@@ -134,7 +151,7 @@ updates:
          - "com.google.code.findbugs:*"
          - "com.google.errorprone:*"
          - "com.puppycrawl.tools:checkstyle"
-          - "org.sonatype.plugins:*"
+          - "org.sonatype.*:*"
        exclude-patterns:
          # Exclude anything from Spring, as that is in a separate group
          - "org.springframework.*:*"
@@ -149,9 +166,11 @@ updates:
          - "com.h2database:*"
          - "io.findify:s3mock*"
          - "io.netty:*"
+          - "org.apache.httpcomponents.client5:*"
          - "org.hamcrest:*"
          - "org.mock-server:*"
          - "org.mockito:*"
+          - "org.xmlunit:*"
        update-types:
          - "minor"
          - "patch"
@@ -179,7 +198,6 @@ updates:
        patterns:
          - "org.hibernate.*:*"
        update-types:
-          - "minor"
          - "patch"
      # Group together all Jakarta deps in a single PR
      jakarta:
@@ -209,21 +227,36 @@ updates:
        update-types:
          - "minor"
          - "patch"
+      # Group Tika, bouncycastle, and asm because they are tightly integrated
+      # and we theoretically want to keep them in sync.
+      tika:
+        applies-to: version-updates
+        patterns:
+        - "org.apache.tika:*:*"
+        - "org.bouncycastle:*:*"
+        - "org.ow2.asm:*:*"
+        update-types:
+        - "minor"
+        - "patch"
    ignore:
      # Don't try to auto-update any DSpace dependencies
      - dependency-name: "org.dspace:*"
      - dependency-name: "org.dspace.*:*"
+      # Ignore major/minor updates for Hibernate. Only patch updates can be automated.
+      - dependency-name: "org.hibernate.*:*"
+        update-types: ["version-update:semver-major", "version-update:semver-minor"]
      # Ignore all major version updates for all dependencies. We'll only automate minor/patch updates.
      - dependency-name: "*"
        update-types: [ "version-update:semver-major" ]
  ######################
-  ## dspace-7_x branch
+  ## dspace-8_x branch
  ######################
  - package-ecosystem: "maven"
    directory: "/"
-    target-branch: dspace-7_x
+    target-branch: dspace-8_x
    schedule:
-      interval: "weekly"
+      interval: "monthly"
+      time: "02:00"
    # Allow up to 10 open PRs for dependencies
    open-pull-requests-limit: 10
    # Group together some upgrades in a single PR
@@ -239,7 +272,7 @@ updates:
          - "com.google.code.findbugs:*"
          - "com.google.errorprone:*"
          - "com.puppycrawl.tools:checkstyle"
-          - "org.sonatype.plugins:*"
+          - "org.sonatype.*:*"
        exclude-patterns:
          # Exclude anything from Spring, as that is in a separate group
          - "org.springframework.*:*"
@@ -254,9 +287,11 @@ updates:
          - "com.h2database:*"
          - "io.findify:s3mock*"
          - "io.netty:*"
+          - "org.apache.httpcomponents.client5:*"
          - "org.hamcrest:*"
          - "org.mock-server:*"
          - "org.mockito:*"
+          - "org.xmlunit:*"
        update-types:
          - "minor"
          - "patch"
@@ -284,7 +319,6 @@ updates:
        patterns:
          - "org.hibernate.*:*"
        update-types:
-          - "minor"
          - "patch"
      # Group together all Jakarta deps in a single PR
      jakarta:
@@ -296,6 +330,127 @@ updates:
        update-types:
          - "minor"
          - "patch"
+      # Group together all Spring deps in a single PR
+      spring:
+        applies-to: version-updates
+        patterns:
+          - "org.springframework:*"
+          - "org.springframework.*:*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Group together all WebJARs deps in a single PR
+      webjars:
+        applies-to: version-updates
+        patterns:
+          - "org.webjars:*"
+          - "org.webjars.*:*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Group Tika, bouncycastle, and asm because they are tightly integrated
+      # and we theoretically want to keep them in sync.
+      tika:
+        applies-to: version-updates
+        patterns:
+        - "org.apache.tika:*:*"
+        - "org.bouncycastle:*:*"
+        - "org.ow2.asm:*:*"
+        update-types:
+        - "minor"
+        - "patch"
+    ignore:
+      # Don't try to auto-update any DSpace dependencies
+      - dependency-name: "org.dspace:*"
+      - dependency-name: "org.dspace.*:*"
+      # Ignore major/minor updates for Hibernate. Only patch updates can be automated.
+      - dependency-name: "org.hibernate.*:*"
+        update-types: ["version-update:semver-major", "version-update:semver-minor"]
+      # Ignore all major version updates for all dependencies. We'll only automate minor/patch updates.
+      - dependency-name: "*"
+        update-types: [ "version-update:semver-major" ]
+  ######################
+  ## dspace-7_x branch
+  ######################
+  - package-ecosystem: "maven"
+    directory: "/"
+    target-branch: dspace-7_x
+    schedule:
+      interval: "monthly"
+      time: "02:00"
+    # Allow up to 10 open PRs for dependencies
+    open-pull-requests-limit: 10
+    # Group together some upgrades in a single PR
+    groups:
+      # Group together all Build Tools in a single PR
+      build-tools:
+        applies-to: version-updates
+        patterns:
+          - "org.apache.maven.plugins:*"
+          - "*:*-maven-plugin"
+          - "*:maven-*-plugin"
+          - "com.github.spotbugs:spotbugs"
+          - "com.google.code.findbugs:*"
+          - "com.google.errorprone:*"
+          - "com.puppycrawl.tools:checkstyle"
+          - "org.sonatype.*:*"
+        exclude-patterns:
+          # Exclude anything from Spring, as that is in a separate group
+          - "org.springframework.*:*"
+        update-types:
+          - "minor"
+          - "patch"
+      test-tools:
+        applies-to: version-updates
+        patterns:
+          - "junit:*"
+          - "com.github.stefanbirker:system-rules"
+          - "com.h2database:*"
+          - "io.findify:s3mock*"
+          - "io.netty:*"
+          - "org.hamcrest:*"
+          - "org.mock-server:*"
+          - "org.mockito:*"
+          - "org.xmlunit:*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Group together all Apache Commons deps in a single PR
+      apache-commons:
+        applies-to: version-updates
+        patterns:
+          - "org.apache.commons:*"
+          - "commons-*:commons-*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Group together all fasterxml deps in a single PR
+      fasterxml:
+        applies-to: version-updates
+        patterns:
+          - "com.fasterxml:*"
+          - "com.fasterxml.*:*"
+        update-types:
+          - "minor"
+          - "patch"
+        # Group together all Hibernate deps in a single PR
+      hibernate:
+        applies-to: version-updates
+        patterns:
+          - "org.hibernate.*:*"
+        update-types:
+          - "patch"
+      # Group together all Javax deps in a single PR
+      # NOTE: Javax is only used in 7.x and has been replaced by Jakarta in 8.x and later
+      jakarta:
+        applies-to: version-updates
+        patterns:
+          - "javax.*:*"
+          - "*:javax.mail"
+          - "org.glassfish.jaxb:jaxb-runtime"
+        update-types:
+          - "minor"
+          - "patch"
      # Group together all Google deps in a single PR
      # NOTE: These Google deps are only used in 7.x and have been removed in 8.x and later
      google-apis:
@@ -326,6 +481,17 @@ updates:
        update-types:
          - "minor"
          - "patch"
+      # Group Tika, bouncycastle, and asm because they are tightly integrated
+      # and we theoretically want to keep them in sync.
+      tika:
+        applies-to: version-updates
+        patterns:
+        - "org.apache.tika:*:*"
+        - "org.bouncycastle:*:*"
+        - "org.ow2.asm:*:*"
+        update-types:
+        - "minor"
+        - "patch"
    ignore:
      # Don't try to auto-update any DSpace dependencies
      - dependency-name: "org.dspace:*"
@@ -337,6 +503,9 @@ updates:
      # See https://github.com/DSpace/DSpace/pull/9888#issuecomment-2408165545
      - dependency-name: "org.springframework.security:*"
        versions: [">=5.8.0"]
+      # Ignore major/minor updates for Hibernate. Only patch updates can be automated.
+      - dependency-name: "org.hibernate.*:*"
+        update-types: ["version-update:semver-major", "version-update:semver-minor"]
      # Ignore all major version updates for all dependencies. We'll only automate minor/patch updates.
      - dependency-name: "*"
        update-types: [ "version-update:semver-major" ]
--- a/.github/workflows/codescan.yml
+++ b/.github/workflows/codescan.yml
@@ -47,7 +47,7 @@ jobs:
      # Initializes the CodeQL tools for scanning.
      # https://github.com/github/codeql-action
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
        with:
          # Codescan Javascript as well since a few JS files exist in REST API's interface
          languages: java, javascript
@@ -56,8 +56,8 @@ jobs:
      # NOTE: Based on testing, this autobuild process works well for DSpace. A custom
      # DSpace build w/caching (like in build.yml) was about the same speed as autobuild.
      - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@v3

      # Perform GitHub Code Scanning.
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -113,39 +113,19 @@ jobs:
      REDEPLOY_SANDBOX_URL: ${{ secrets.REDEPLOY_SANDBOX_SOLR_URL }}
      REDEPLOY_DEMO_URL: ${{ secrets.REDEPLOY_DEMO_SOLR_URL }}

-  ###########################################################
-  # Build/Push the 'dspace/dspace-postgres-pgcrypto' image
-  ###########################################################
-  dspace-postgres-pgcrypto:
+  ########################################################
+  # Build/Push the 'dspace/dspace-postgres-loadsql' image
+  ########################################################
+  dspace-postgres-loadsql:
    # Ensure this job never runs on forked repos. It's only executed for 'dspace/dspace'
    if: github.repository == 'dspace/dspace'
    uses: ./.github/workflows/reusable-docker-build.yml
    with:
-      build_id: dspace-postgres-pgcrypto-prod
-      image_name: dspace/dspace-postgres-pgcrypto
-      # Must build out of subdirectory to have access to install script for pgcrypto.
+      build_id: dspace-postgres-loadsql
+      image_name: dspace/dspace-postgres-loadsql
+      # Must build out of subdirectory to have access to install script.
      # NOTE: this context will build the image based on the Dockerfile in the specified directory
-      dockerfile_context: ./dspace/src/main/docker/dspace-postgres-pgcrypto/
-    secrets:
-      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-      DOCKER_ACCESS_TOKEN: ${{ secrets.DOCKER_ACCESS_TOKEN }}
-
-  ########################################################################
-  # Build/Push the 'dspace/dspace-postgres-pgcrypto' image (-loadsql tag)
-  ########################################################################
-  dspace-postgres-pgcrypto-loadsql:
-    # Ensure this job never runs on forked repos. It's only executed for 'dspace/dspace'
-    if: github.repository == 'dspace/dspace'
-    uses: ./.github/workflows/reusable-docker-build.yml
-    with:
-      build_id: dspace-postgres-pgcrypto-loadsql
-      image_name: dspace/dspace-postgres-pgcrypto
-      # Must build out of subdirectory to have access to install script for pgcrypto.
-      # NOTE: this context will build the image based on the Dockerfile in the specified directory
-      dockerfile_context: ./dspace/src/main/docker/dspace-postgres-pgcrypto-curl/
-      # Suffix all tags with "-loadsql". Otherwise, it uses the same
-      # tagging logic as the primary 'dspace/dspace-postgres-pgcrypto' image above.
-      tags_flavor: suffix=-loadsql
+      dockerfile_context: ./dspace/src/main/docker/dspace-postgres-loadsql/
    secrets:
      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
      DOCKER_ACCESS_TOKEN: ${{ secrets.DOCKER_ACCESS_TOKEN }}
@@ -158,7 +138,7 @@ jobs:
    if: github.repository == 'dspace/dspace'
    runs-on: ubuntu-latest
    # Must run after all major images are built
-    needs: [dspace, dspace-test, dspace-cli, dspace-postgres-pgcrypto, dspace-solr]
+    needs: [dspace, dspace-test, dspace-cli, dspace-solr]
    env:
      # Override defaults dspace.server.url because backend starts at http://127.0.0.1:8080
      dspace__P__server__P__url: http://127.0.0.1:8080/server
@@ -220,6 +200,19 @@ jobs:
          result=$(wget -O- -q http://127.0.0.1:8080/server/api/core/collections)
          echo "$result"
          echo "$result" |  grep -oE "\"Dog in Yard\","
+      # Verify basic backend logging is working.
+      # 1. Access the top communities list. Verify that the "Before request" INFO statement is logged
+      # 2. Access an invalid endpoint (and ignore 404 response). Verify that a "status:404" WARN statement is logged
+      - name: Verify backend is logging properly
+        run: |
+          wget -O/dev/null -q http://127.0.0.1:8080/server/api/core/communities/search/top
+          logs=$(docker compose -f docker-compose.yml logs -n 5 dspace)
+          echo "$logs"
+          echo "$logs" | grep -o "Before request \[GET /server/api/core/communities/search/top\]"
+          wget -O/dev/null -q http://127.0.0.1:8080/server/api/does/not/exist || true
+          logs=$(docker compose -f docker-compose.yml logs -n 5 dspace)
+          echo "$logs"
+          echo "$logs" | grep -o "status:404 exception: The repository type does.not was not found"
      # Verify Handle Server can be stared and is working properly
      # 1. First generate the "[dspace]/handle-server" folder with the sitebndl.zip
      # 2. Start the Handle Server (and wait 20 seconds to let it start up)
--- a/.github/workflows/reusable-docker-build.yml
+++ b/.github/workflows/reusable-docker-build.yml
@@ -72,7 +72,7 @@ env:
  REDEPLOY_SANDBOX_URL: ${{ secrets.REDEPLOY_SANDBOX_URL }}
  REDEPLOY_DEMO_URL: ${{ secrets.REDEPLOY_DEMO_URL }}
  # Current DSpace branches (and architecture) which are deployed to demo.dspace.org & sandbox.dspace.org respectively
-  DEPLOY_DEMO_BRANCH: 'dspace-8_x'
+  DEPLOY_DEMO_BRANCH: 'dspace-9_x'
  DEPLOY_SANDBOX_BRANCH: 'main'
  DEPLOY_ARCH: 'linux/amd64'
  # Registry used during building of Docker images. (All images are later copied to docker.io registry)
@@ -164,7 +164,7 @@ jobs:
          # Use GitHub cache to load cached Docker images and cache the results of this build
          # This decreases the number of images we need to fetch from DockerHub
          cache-from: type=gha,scope=${{ inputs.build_id }}
-          cache-to: type=gha,scope=${{ inputs.build_id }},mode=max
+          cache-to: type=gha,scope=${{ inputs.build_id }},mode=min

      # Export the digest of Docker build locally
      - name: Export Docker build digest
@@ -216,7 +216,7 @@ jobs:
          # Use GitHub cache to load cached Docker images and cache the results of this build
          # This decreases the number of images we need to fetch from DockerHub
          cache-from: type=gha,scope=${{ inputs.build_id }}
-          cache-to: type=gha,scope=${{ inputs.build_id }},mode=max
+          cache-to: type=gha,scope=${{ inputs.build_id }},mode=min
          # Export image to a local TAR file
          outputs: type=docker,dest=/tmp/${{ inputs.build_id }}.tar

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -10,7 +10,7 @@ DSpace is a community built and supported project. We do not have a centralized
 ## Contribute new code via a Pull Request

 We accept [GitHub Pull Requests (PRs)](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork) at any time from anyone.
-Contributors to each release are recognized in our [Release Notes](https://wiki.lyrasis.org/display/DSDOC8x/Release+Notes).
+Contributors to each release are recognized in our [Release Notes](https://wiki.lyrasis.org/display/DSDOC9x/Release+Notes).

 Code Contribution Checklist
 - [ ] PRs _should_ be smaller in size (ideally less than 1,000 lines of code, not including comments & tests)
--- a/249
+++ b/249
@@ -21,29 +21,29 @@ https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines
    Apache Software License, Version 2.0:

        * Ant-Contrib Tasks (ant-contrib:ant-contrib:1.0b3 - http://ant-contrib.sourceforge.net)
-        * AWS SDK for Java - Core (com.amazonaws:aws-java-sdk-core:1.12.781 - https://aws.amazon.com/sdkforjava)
-        * AWS Java SDK for AWS KMS (com.amazonaws:aws-java-sdk-kms:1.12.781 - https://aws.amazon.com/sdkforjava)
-        * AWS Java SDK for Amazon S3 (com.amazonaws:aws-java-sdk-s3:1.12.781 - https://aws.amazon.com/sdkforjava)
-        * JMES Path Query library (com.amazonaws:jmespath-java:1.12.781 - https://aws.amazon.com/sdkforjava)
+        * AWS SDK for Java - Core (com.amazonaws:aws-java-sdk-core:1.12.783 - https://aws.amazon.com/sdkforjava)
+        * AWS Java SDK for AWS KMS (com.amazonaws:aws-java-sdk-kms:1.12.783 - https://aws.amazon.com/sdkforjava)
+        * AWS Java SDK for Amazon S3 (com.amazonaws:aws-java-sdk-s3:1.12.783 - https://aws.amazon.com/sdkforjava)
+        * JMES Path Query library (com.amazonaws:jmespath-java:1.12.783 - https://aws.amazon.com/sdkforjava)
        * Titanium JSON-LD 1.1 (JRE11) (com.apicatalog:titanium-json-ld:1.3.2 - https://github.com/filip26/titanium-json-ld)
        * HPPC Collections (com.carrotsearch:hppc:0.8.1 - http://labs.carrotsearch.com/hppc.html/hppc)
        * com.drewnoakes:metadata-extractor (com.drewnoakes:metadata-extractor:2.19.0 - https://drewnoakes.com/code/exif/)
        * parso (com.epam:parso:2.0.14 - https://github.com/epam/parso)
        * Internet Time Utility (com.ethlo.time:itu:1.7.0 - https://github.com/ethlo/itu)
        * ClassMate (com.fasterxml:classmate:1.5.1 - https://github.com/FasterXML/java-classmate)
-        * Jackson-annotations (com.fasterxml.jackson.core:jackson-annotations:2.18.2 - https://github.com/FasterXML/jackson)
-        * Jackson-core (com.fasterxml.jackson.core:jackson-core:2.18.2 - https://github.com/FasterXML/jackson-core)
-        * jackson-databind (com.fasterxml.jackson.core:jackson-databind:2.18.2 - https://github.com/FasterXML/jackson)
+        * Jackson-annotations (com.fasterxml.jackson.core:jackson-annotations:2.19.0 - https://github.com/FasterXML/jackson)
+        * Jackson-core (com.fasterxml.jackson.core:jackson-core:2.19.0 - https://github.com/FasterXML/jackson-core)
+        * jackson-databind (com.fasterxml.jackson.core:jackson-databind:2.19.0 - https://github.com/FasterXML/jackson)
        * Jackson dataformat: CBOR (com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.17.2 - https://github.com/FasterXML/jackson-dataformats-binary)
        * Jackson dataformat: Smile (com.fasterxml.jackson.dataformat:jackson-dataformat-smile:2.15.2 - https://github.com/FasterXML/jackson-dataformats-binary)
        * Jackson-dataformat-TOML (com.fasterxml.jackson.dataformat:jackson-dataformat-toml:2.15.2 - https://github.com/FasterXML/jackson-dataformats-text)
        * Jackson-dataformat-YAML (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.16.2 - https://github.com/FasterXML/jackson-dataformats-text)
-        * Jackson datatype: jdk8 (com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.18.2 - https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jdk8)
-        * Jackson datatype: JSR310 (com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.18.2 - https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jsr310)
+        * Jackson datatype: jdk8 (com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.18.3 - https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jdk8)
+        * Jackson datatype: JSR310 (com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.19.0 - https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jsr310)
        * Jackson Jakarta-RS: base (com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-base:2.16.2 - https://github.com/FasterXML/jackson-jakarta-rs-providers/jackson-jakarta-rs-base)
        * Jackson Jakarta-RS: JSON (com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-json-provider:2.16.2 - https://github.com/FasterXML/jackson-jakarta-rs-providers/jackson-jakarta-rs-json-provider)
        * Jackson module: Jakarta XML Bind Annotations (jakarta.xml.bind) (com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations:2.16.2 - https://github.com/FasterXML/jackson-modules-base)
-        * Jackson-module-parameter-names (com.fasterxml.jackson.module:jackson-module-parameter-names:2.18.2 - https://github.com/FasterXML/jackson-modules-java8/jackson-module-parameter-names)
+        * Jackson-module-parameter-names (com.fasterxml.jackson.module:jackson-module-parameter-names:2.18.3 - https://github.com/FasterXML/jackson-modules-java8/jackson-module-parameter-names)
        * Java UUID Generator (com.fasterxml.uuid:java-uuid-generator:4.1.0 - https://github.com/cowtowncoder/java-uuid-generator)
        * Woodstox (com.fasterxml.woodstox:woodstox-core:6.5.1 - https://github.com/FasterXML/woodstox)
        * zjsonpatch (com.flipkart.zjsonpatch:zjsonpatch:0.4.16 - https://github.com/flipkart-incubator/zjsonpatch/)
@@ -60,8 +60,8 @@ https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines
        * uri-template (com.github.java-json-tools:uri-template:0.10 - https://github.com/java-json-tools/uri-template)
        * JCIP Annotations under Apache License (com.github.stephenc.jcip:jcip-annotations:1.0-1 - http://stephenc.github.com/jcip-annotations)
        * FindBugs-jsr305 (com.google.code.findbugs:jsr305:3.0.2 - http://findbugs.sourceforge.net/)
-        * Gson (com.google.code.gson:gson:2.12.1 - https://github.com/google/gson)
-        * error-prone annotations (com.google.errorprone:error_prone_annotations:2.36.0 - https://errorprone.info/error_prone_annotations)
+        * Gson (com.google.code.gson:gson:2.13.1 - https://github.com/google/gson)
+        * error-prone annotations (com.google.errorprone:error_prone_annotations:2.38.0 - https://errorprone.info/error_prone_annotations)
        * Guava InternalFutureFailureAccess and InternalFutures (com.google.guava:failureaccess:1.0.1 - https://github.com/google/guava/failureaccess)
        * Guava: Google Core Libraries for Java (com.google.guava:guava:32.1.3-jre - https://github.com/google/guava)
        * Guava ListenableFuture only (com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava - https://github.com/google/guava/listenablefuture)
@@ -69,10 +69,9 @@ https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines
        * Google Guice - Extensions - AssistedInject (com.google.inject.extensions:guice-assistedinject:7.0.0 - https://github.com/google/guice/extensions-parent/guice-assistedinject)
        * J2ObjC Annotations (com.google.j2objc:j2objc-annotations:1.3 - https://github.com/google/j2objc/)
        * J2ObjC Annotations (com.google.j2objc:j2objc-annotations:2.8 - https://github.com/google/j2objc/)
-        * ConcurrentLinkedHashMap (com.googlecode.concurrentlinkedhashmap:concurrentlinkedhashmap-lru:1.4.2 - http://code.google.com/p/concurrentlinkedhashmap)
        * libphonenumber (com.googlecode.libphonenumber:libphonenumber:8.11.1 - https://github.com/google/libphonenumber/)
        * Jackcess (com.healthmarketscience.jackcess:jackcess:4.0.8 - https://jackcess.sourceforge.io)
-        * Jackcess Encrypt (com.healthmarketscience.jackcess:jackcess-encrypt:4.0.2 - http://jackcessencrypt.sf.net)
+        * Jackcess Encrypt (com.healthmarketscience.jackcess:jackcess-encrypt:4.0.3 - http://jackcessencrypt.sf.net)
        * json-path (com.jayway.jsonpath:json-path:2.9.0 - https://github.com/jayway/JsonPath)
        * json-path-assert (com.jayway.jsonpath:json-path-assert:2.9.0 - https://github.com/jayway/JsonPath)
        * Disruptor Framework (com.lmax:disruptor:3.4.2 - http://lmax-exchange.github.com/disruptor)
@@ -81,11 +80,15 @@ https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines
        * JsonSchemaValidator (com.networknt:json-schema-validator:1.0.76 - https://github.com/networknt/json-schema-validator)
        * Nimbus JOSE+JWT (com.nimbusds:nimbus-jose-jwt:9.28 - https://bitbucket.org/connect2id/nimbus-jose-jwt)
        * Nimbus JOSE+JWT (com.nimbusds:nimbus-jose-jwt:9.48 - https://bitbucket.org/connect2id/nimbus-jose-jwt)
-        * opencsv (com.opencsv:opencsv:5.10 - http://opencsv.sf.net)
+        * opencsv (com.opencsv:opencsv:5.11 - http://opencsv.sf.net)
        * java-libpst (com.pff:java-libpst:0.9.3 - https://github.com/rjohnsondev/java-libpst)
        * rome (com.rometools:rome:1.19.0 - http://rometools.com/rome)
        * rome-modules (com.rometools:rome-modules:1.19.0 - http://rometools.com/rome-modules)
        * rome-utils (com.rometools:rome-utils:1.19.0 - http://rometools.com/rome-utils)
+        * mockwebserver (com.squareup.okhttp3:mockwebserver:4.12.0 - https://square.github.io/okhttp/)
+        * okhttp (com.squareup.okhttp3:okhttp:4.12.0 - https://square.github.io/okhttp/)
+        * okio (com.squareup.okio:okio:3.6.0 - https://github.com/square/okio/)
+        * okio (com.squareup.okio:okio-jvm:3.6.0 - https://github.com/square/okio/)
        * T-Digest (com.tdunning:t-digest:3.1 - https://github.com/tdunning/t-digest)
        * config (com.typesafe:config:1.3.3 - https://github.com/lightbend/config)
        * ssl-config-core (com.typesafe:ssl-config-core_2.13:0.3.8 - https://github.com/lightbend/ssl-config)
@@ -103,7 +106,7 @@ https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines
        * Apache Commons Codec (commons-codec:commons-codec:1.18.0 - https://commons.apache.org/proper/commons-codec/)
        * Apache Commons Collections (commons-collections:commons-collections:3.2.2 - http://commons.apache.org/collections/)
        * Commons Digester (commons-digester:commons-digester:2.1 - http://commons.apache.org/digester/)
-        * Apache Commons IO (commons-io:commons-io:2.18.0 - https://commons.apache.org/proper/commons-io/)
+        * Apache Commons IO (commons-io:commons-io:2.19.0 - https://commons.apache.org/proper/commons-io/)
        * Commons Lang (commons-lang:commons-lang:2.6 - http://commons.apache.org/lang/)
        * Apache Commons Logging (commons-logging:commons-logging:1.3.5 - https://commons.apache.org/proper/commons-logging/)
        * Apache Commons Validator (commons-validator:commons-validator:1.9.0 - http://commons.apache.org/proper/commons-validator/)
@@ -117,10 +120,12 @@ https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines
        * Metrics Integration with JMX (io.dropwizard.metrics:metrics-jmx:4.1.5 - https://metrics.dropwizard.io/metrics-jmx)
        * JVM Integration for Metrics (io.dropwizard.metrics:metrics-jvm:4.1.5 - https://metrics.dropwizard.io/metrics-jvm)
        * SWORD v2 Common Server Library (forked) (io.gdcc:sword2-server:2.0.0 - https://github.com/gdcc/sword2-server)
-        * micrometer-commons (io.micrometer:micrometer-commons:1.14.5 - https://github.com/micrometer-metrics/micrometer)
-        * micrometer-core (io.micrometer:micrometer-core:1.14.4 - https://github.com/micrometer-metrics/micrometer)
-        * micrometer-jakarta9 (io.micrometer:micrometer-jakarta9:1.14.4 - https://github.com/micrometer-metrics/micrometer)
-        * micrometer-observation (io.micrometer:micrometer-observation:1.14.5 - https://github.com/micrometer-metrics/micrometer)
+        * micrometer-commons (io.micrometer:micrometer-commons:1.14.6 - https://github.com/micrometer-metrics/micrometer)
+        * micrometer-commons (io.micrometer:micrometer-commons:1.14.7 - https://github.com/micrometer-metrics/micrometer)
+        * micrometer-core (io.micrometer:micrometer-core:1.14.6 - https://github.com/micrometer-metrics/micrometer)
+        * micrometer-jakarta9 (io.micrometer:micrometer-jakarta9:1.14.6 - https://github.com/micrometer-metrics/micrometer)
+        * micrometer-observation (io.micrometer:micrometer-observation:1.14.6 - https://github.com/micrometer-metrics/micrometer)
+        * micrometer-observation (io.micrometer:micrometer-observation:1.14.7 - https://github.com/micrometer-metrics/micrometer)
        * Netty/Buffer (io.netty:netty-buffer:4.1.99.Final - https://netty.io/netty-buffer/)
        * Netty/Codec (io.netty:netty-codec:4.1.99.Final - https://netty.io/netty-codec/)
        * Netty/Codec/HTTP (io.netty:netty-codec-http:4.1.86.Final - https://netty.io/netty-codec-http/)
@@ -191,10 +196,10 @@ https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines
        * Calcite Linq4j (org.apache.calcite:calcite-linq4j:1.35.0 - https://calcite.apache.org)
        * Apache Calcite Avatica (org.apache.calcite.avatica:avatica-core:1.23.0 - https://calcite.apache.org/avatica)
        * Apache Calcite Avatica Metrics (org.apache.calcite.avatica:avatica-metrics:1.23.0 - https://calcite.apache.org/avatica)
-        * Apache Commons Collections (org.apache.commons:commons-collections4:4.4 - https://commons.apache.org/proper/commons-collections/)
+        * Apache Commons Collections (org.apache.commons:commons-collections4:4.5.0 - https://commons.apache.org/proper/commons-collections/)
        * Apache Commons Compress (org.apache.commons:commons-compress:1.27.1 - https://commons.apache.org/proper/commons-compress/)
-        * Apache Commons Configuration (org.apache.commons:commons-configuration2:2.11.0 - https://commons.apache.org/proper/commons-configuration/)
-        * Apache Commons CSV (org.apache.commons:commons-csv:1.13.0 - https://commons.apache.org/proper/commons-csv/)
+        * Apache Commons Configuration (org.apache.commons:commons-configuration2:2.12.0 - https://commons.apache.org/proper/commons-configuration/)
+        * Apache Commons CSV (org.apache.commons:commons-csv:1.14.0 - https://commons.apache.org/proper/commons-csv/)
        * Apache Commons DBCP (org.apache.commons:commons-dbcp2:2.13.0 - https://commons.apache.org/proper/commons-dbcp/)
        * Apache Commons Digester (org.apache.commons:commons-digester3:3.2 - http://commons.apache.org/digester/)
        * Apache Commons Exec (org.apache.commons:commons-exec:1.3 - http://commons.apache.org/proper/commons-exec/)
@@ -202,7 +207,7 @@ https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines
        * Apache Commons Lang (org.apache.commons:commons-lang3:3.17.0 - https://commons.apache.org/proper/commons-lang/)
        * Apache Commons Math (org.apache.commons:commons-math3:3.6.1 - http://commons.apache.org/proper/commons-math/)
        * Apache Commons Pool (org.apache.commons:commons-pool2:2.12.1 - https://commons.apache.org/proper/commons-pool/)
-        * Apache Commons Text (org.apache.commons:commons-text:1.13.0 - https://commons.apache.org/proper/commons-text)
+        * Apache Commons Text (org.apache.commons:commons-text:1.13.1 - https://commons.apache.org/proper/commons-text)
        * Curator Client (org.apache.curator:curator-client:2.13.0 - http://curator.apache.org/curator-client)
        * Curator Framework (org.apache.curator:curator-framework:2.13.0 - http://curator.apache.org/curator-framework)
        * Curator Recipes (org.apache.curator:curator-recipes:2.13.0 - http://curator.apache.org/curator-recipes)
@@ -216,19 +221,19 @@ https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines
        * Apache HttpCore (org.apache.httpcomponents:httpcore:4.4.16 - http://hc.apache.org/httpcomponents-core-ga)
        * Apache HttpClient Mime (org.apache.httpcomponents:httpmime:4.5.14 - http://hc.apache.org/httpcomponents-client-ga)
        * Apache HttpClient (org.apache.httpcomponents.client5:httpclient5:5.1.3 - https://hc.apache.org/httpcomponents-client-5.0.x/5.1.3/httpclient5/)
-        * Apache HttpClient (org.apache.httpcomponents.client5:httpclient5:5.4.2 - https://hc.apache.org/httpcomponents-client-5.4.x/5.4.2/httpclient5/)
+        * Apache HttpClient (org.apache.httpcomponents.client5:httpclient5:5.4.4 - https://hc.apache.org/httpcomponents-client-5.4.x/5.4.4/httpclient5/)
        * Apache HttpComponents Core HTTP/1.1 (org.apache.httpcomponents.core5:httpcore5:5.1.3 - https://hc.apache.org/httpcomponents-core-5.1.x/5.1.3/httpcore5/)
-        * Apache HttpComponents Core HTTP/1.1 (org.apache.httpcomponents.core5:httpcore5:5.3.3 - https://hc.apache.org/httpcomponents-core-5.3.x/5.3.3/httpcore5/)
+        * Apache HttpComponents Core HTTP/1.1 (org.apache.httpcomponents.core5:httpcore5:5.3.4 - https://hc.apache.org/httpcomponents-core-5.3.x/5.3.4/httpcore5/)
        * Apache HttpComponents Core HTTP/2 (org.apache.httpcomponents.core5:httpcore5-h2:5.1.3 - https://hc.apache.org/httpcomponents-core-5.1.x/5.1.3/httpcore5-h2/)
-        * Apache HttpComponents Core HTTP/2 (org.apache.httpcomponents.core5:httpcore5-h2:5.3.3 - https://hc.apache.org/httpcomponents-core-5.3.x/5.3.3/httpcore5-h2/)
+        * Apache HttpComponents Core HTTP/2 (org.apache.httpcomponents.core5:httpcore5-h2:5.3.4 - https://hc.apache.org/httpcomponents-core-5.3.x/5.3.4/httpcore5-h2/)
        * Apache James :: Mime4j :: Core (org.apache.james:apache-mime4j-core:0.8.12 - http://james.apache.org/mime4j/apache-mime4j-core)
        * Apache James :: Mime4j :: DOM (org.apache.james:apache-mime4j-dom:0.8.12 - http://james.apache.org/mime4j/apache-mime4j-dom)
-        * jclouds blobstore core (org.apache.jclouds:jclouds-blobstore:2.6.0 - https://jclouds.apache.org/jclouds-blobstore/)
-        * jclouds Components Core (org.apache.jclouds:jclouds-core:2.6.0 - https://jclouds.apache.org/jclouds-core/)
-        * jclouds filesystem core (org.apache.jclouds.api:filesystem:2.6.0 - https://jclouds.apache.org/filesystem/)
-        * jclouds s3 api (org.apache.jclouds.api:s3:2.6.0 - https://jclouds.apache.org/s3/)
-        * jclouds sts api (org.apache.jclouds.api:sts:2.6.0 - https://jclouds.apache.org/sts/)
-        * jclouds Amazon Simple Storage Service (S3) provider (org.apache.jclouds.provider:aws-s3:2.6.0 - https://jclouds.apache.org/aws-s3/)
+        * jclouds blobstore core (org.apache.jclouds:jclouds-blobstore:2.7.0 - https://jclouds.apache.org/jclouds-blobstore/)
+        * jclouds Components Core (org.apache.jclouds:jclouds-core:2.7.0 - https://jclouds.apache.org/jclouds-core/)
+        * jclouds filesystem core (org.apache.jclouds.api:filesystem:2.7.0 - https://jclouds.apache.org/filesystem/)
+        * jclouds s3 api (org.apache.jclouds.api:s3:2.7.0 - https://jclouds.apache.org/s3/)
+        * jclouds sts api (org.apache.jclouds.api:sts:2.7.0 - https://jclouds.apache.org/sts/)
+        * jclouds Amazon Simple Storage Service (S3) provider (org.apache.jclouds.provider:aws-s3:2.7.0 - https://jclouds.apache.org/aws-s3/)
        * Apache Jena - Libraries POM (org.apache.jena:apache-jena-libs:4.10.0 - https://jena.apache.org/apache-jena-libs/)
        * Apache Jena - ARQ (org.apache.jena:jena-arq:4.10.0 - https://jena.apache.org/jena-arq/)
        * Apache Jena - Base (org.apache.jena:jena-base:4.10.0 - https://jena.apache.org/jena-base/)
@@ -280,49 +285,49 @@ https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines
        * Lucene Spatial Extras (org.apache.lucene:lucene-spatial-extras:8.11.4 - https://lucene.apache.org/lucene-parent/lucene-spatial-extras)
        * Lucene Spatial 3D (org.apache.lucene:lucene-spatial3d:8.11.4 - https://lucene.apache.org/lucene-parent/lucene-spatial3d)
        * Lucene Suggest (org.apache.lucene:lucene-suggest:8.11.4 - https://lucene.apache.org/lucene-parent/lucene-suggest)
-        * Apache FontBox (org.apache.pdfbox:fontbox:2.0.33 - http://pdfbox.apache.org/)
+        * Apache FontBox (org.apache.pdfbox:fontbox:2.0.34 - http://pdfbox.apache.org/)
        * PDFBox JBIG2 ImageIO plugin (org.apache.pdfbox:jbig2-imageio:3.0.4 - https://www.apache.org/jbig2-imageio/)
        * Apache JempBox (org.apache.pdfbox:jempbox:1.8.17 - http://www.apache.org/pdfbox-parent/jempbox/)
-        * Apache PDFBox (org.apache.pdfbox:pdfbox:2.0.33 - https://www.apache.org/pdfbox-parent/pdfbox/)
-        * Apache PDFBox tools (org.apache.pdfbox:pdfbox-tools:2.0.33 - https://www.apache.org/pdfbox-parent/pdfbox-tools/)
-        * Apache XmpBox (org.apache.pdfbox:xmpbox:2.0.33 - https://www.apache.org/pdfbox-parent/xmpbox/)
-        * Apache POI - Common (org.apache.poi:poi:5.4.0 - https://poi.apache.org/)
-        * Apache POI - API based on OPC and OOXML schemas (org.apache.poi:poi-ooxml:5.4.0 - https://poi.apache.org/)
-        * Apache POI (org.apache.poi:poi-ooxml-lite:5.4.0 - https://poi.apache.org/)
-        * Apache POI (org.apache.poi:poi-scratchpad:5.4.0 - https://poi.apache.org/)
+        * Apache PDFBox (org.apache.pdfbox:pdfbox:2.0.34 - https://www.apache.org/pdfbox-parent/pdfbox/)
+        * Apache PDFBox tools (org.apache.pdfbox:pdfbox-tools:2.0.34 - https://www.apache.org/pdfbox-parent/pdfbox-tools/)
+        * Apache XmpBox (org.apache.pdfbox:xmpbox:2.0.34 - https://www.apache.org/pdfbox-parent/xmpbox/)
+        * Apache POI - Common (org.apache.poi:poi:5.4.1 - https://poi.apache.org/)
+        * Apache POI - API based on OPC and OOXML schemas (org.apache.poi:poi-ooxml:5.4.1 - https://poi.apache.org/)
+        * Apache POI (org.apache.poi:poi-ooxml-lite:5.4.1 - https://poi.apache.org/)
+        * Apache POI (org.apache.poi:poi-scratchpad:5.4.1 - https://poi.apache.org/)
        * Apache XML Security for Java (org.apache.santuario:xmlsec:2.3.4 - https://santuario.apache.org/)
        * Apache Solr Core (org.apache.solr:solr-core:8.11.4 - https://lucene.apache.org/solr-parent/solr-core)
        * Apache Solr Solrj (org.apache.solr:solr-solrj:8.11.4 - https://lucene.apache.org/solr-parent/solr-solrj)
        * Apache Standard Taglib Implementation (org.apache.taglibs:taglibs-standard-impl:1.2.5 - http://tomcat.apache.org/taglibs/standard-1.2.5/taglibs-standard-impl)
        * Apache Standard Taglib Specification API (org.apache.taglibs:taglibs-standard-spec:1.2.5 - http://tomcat.apache.org/taglibs/standard-1.2.5/taglibs-standard-spec)
        * Apache Thrift (org.apache.thrift:libthrift:0.19.0 - http://thrift.apache.org)
-        * Apache Tika core (org.apache.tika:tika-core:2.9.3 - https://tika.apache.org/)
-        * Apache Tika Apple parser module (org.apache.tika:tika-parser-apple-module:2.9.3 - https://tika.apache.org/tika-parser-apple-module/)
-        * Apache Tika audiovideo parser module (org.apache.tika:tika-parser-audiovideo-module:2.9.3 - https://tika.apache.org/tika-parser-audiovideo-module/)
-        * Apache Tika cad parser module (org.apache.tika:tika-parser-cad-module:2.9.3 - https://tika.apache.org/tika-parser-cad-module/)
-        * Apache Tika code parser module (org.apache.tika:tika-parser-code-module:2.9.3 - https://tika.apache.org/tika-parser-code-module/)
-        * Apache Tika crypto parser module (org.apache.tika:tika-parser-crypto-module:2.9.3 - https://tika.apache.org/tika-parser-crypto-module/)
-        * Apache Tika digest commons (org.apache.tika:tika-parser-digest-commons:2.9.3 - https://tika.apache.org/tika-parser-digest-commons/)
-        * Apache Tika font parser module (org.apache.tika:tika-parser-font-module:2.9.3 - https://tika.apache.org/tika-parser-font-module/)
-        * Apache Tika html parser module (org.apache.tika:tika-parser-html-module:2.9.3 - https://tika.apache.org/tika-parser-html-module/)
-        * Apache Tika image parser module (org.apache.tika:tika-parser-image-module:2.9.3 - https://tika.apache.org/tika-parser-image-module/)
-        * Apache Tika mail commons (org.apache.tika:tika-parser-mail-commons:2.9.3 - https://tika.apache.org/tika-parser-mail-commons/)
-        * Apache Tika mail parser module (org.apache.tika:tika-parser-mail-module:2.9.3 - https://tika.apache.org/tika-parser-mail-module/)
-        * Apache Tika Microsoft parser module (org.apache.tika:tika-parser-microsoft-module:2.9.3 - https://tika.apache.org/tika-parser-microsoft-module/)
-        * Apache Tika miscellaneous office format parser module (org.apache.tika:tika-parser-miscoffice-module:2.9.3 - https://tika.apache.org/tika-parser-miscoffice-module/)
-        * Apache Tika news parser module (org.apache.tika:tika-parser-news-module:2.9.3 - https://tika.apache.org/tika-parser-news-module/)
-        * Apache Tika OCR parser module (org.apache.tika:tika-parser-ocr-module:2.9.3 - https://tika.apache.org/tika-parser-ocr-module/)
-        * Apache Tika PDF parser module (org.apache.tika:tika-parser-pdf-module:2.9.3 - https://tika.apache.org/tika-parser-pdf-module/)
-        * Apache Tika package parser module (org.apache.tika:tika-parser-pkg-module:2.9.3 - https://tika.apache.org/tika-parser-pkg-module/)
-        * Apache Tika text parser module (org.apache.tika:tika-parser-text-module:2.9.3 - https://tika.apache.org/tika-parser-text-module/)
-        * Apache Tika WARC parser module (org.apache.tika:tika-parser-webarchive-module:2.9.3 - https://tika.apache.org/tika-parser-webarchive-module/)
-        * Apache Tika XML parser module (org.apache.tika:tika-parser-xml-module:2.9.3 - https://tika.apache.org/tika-parser-xml-module/)
-        * Apache Tika XMP commons (org.apache.tika:tika-parser-xmp-commons:2.9.3 - https://tika.apache.org/tika-parser-xmp-commons/)
-        * Apache Tika ZIP commons (org.apache.tika:tika-parser-zip-commons:2.9.3 - https://tika.apache.org/tika-parser-zip-commons/)
-        * Apache Tika standard parser package (org.apache.tika:tika-parsers-standard-package:2.9.3 - https://tika.apache.org/tika-parsers/tika-parsers-standard/tika-parsers-standard-package/)
-        * tomcat-embed-core (org.apache.tomcat.embed:tomcat-embed-core:10.1.36 - https://tomcat.apache.org/)
-        * tomcat-embed-el (org.apache.tomcat.embed:tomcat-embed-el:10.1.36 - https://tomcat.apache.org/)
-        * tomcat-embed-websocket (org.apache.tomcat.embed:tomcat-embed-websocket:10.1.36 - https://tomcat.apache.org/)
+        * Apache Tika core (org.apache.tika:tika-core:2.9.4 - https://tika.apache.org/)
+        * Apache Tika Apple parser module (org.apache.tika:tika-parser-apple-module:2.9.4 - https://tika.apache.org/tika-parser-apple-module/)
+        * Apache Tika audiovideo parser module (org.apache.tika:tika-parser-audiovideo-module:2.9.4 - https://tika.apache.org/tika-parser-audiovideo-module/)
+        * Apache Tika cad parser module (org.apache.tika:tika-parser-cad-module:2.9.4 - https://tika.apache.org/tika-parser-cad-module/)
+        * Apache Tika code parser module (org.apache.tika:tika-parser-code-module:2.9.4 - https://tika.apache.org/tika-parser-code-module/)
+        * Apache Tika crypto parser module (org.apache.tika:tika-parser-crypto-module:2.9.4 - https://tika.apache.org/tika-parser-crypto-module/)
+        * Apache Tika digest commons (org.apache.tika:tika-parser-digest-commons:2.9.4 - https://tika.apache.org/tika-parser-digest-commons/)
+        * Apache Tika font parser module (org.apache.tika:tika-parser-font-module:2.9.4 - https://tika.apache.org/tika-parser-font-module/)
+        * Apache Tika html parser module (org.apache.tika:tika-parser-html-module:2.9.4 - https://tika.apache.org/tika-parser-html-module/)
+        * Apache Tika image parser module (org.apache.tika:tika-parser-image-module:2.9.4 - https://tika.apache.org/tika-parser-image-module/)
+        * Apache Tika mail commons (org.apache.tika:tika-parser-mail-commons:2.9.4 - https://tika.apache.org/tika-parser-mail-commons/)
+        * Apache Tika mail parser module (org.apache.tika:tika-parser-mail-module:2.9.4 - https://tika.apache.org/tika-parser-mail-module/)
+        * Apache Tika Microsoft parser module (org.apache.tika:tika-parser-microsoft-module:2.9.4 - https://tika.apache.org/tika-parser-microsoft-module/)
+        * Apache Tika miscellaneous office format parser module (org.apache.tika:tika-parser-miscoffice-module:2.9.4 - https://tika.apache.org/tika-parser-miscoffice-module/)
+        * Apache Tika news parser module (org.apache.tika:tika-parser-news-module:2.9.4 - https://tika.apache.org/tika-parser-news-module/)
+        * Apache Tika OCR parser module (org.apache.tika:tika-parser-ocr-module:2.9.4 - https://tika.apache.org/tika-parser-ocr-module/)
+        * Apache Tika PDF parser module (org.apache.tika:tika-parser-pdf-module:2.9.4 - https://tika.apache.org/tika-parser-pdf-module/)
+        * Apache Tika package parser module (org.apache.tika:tika-parser-pkg-module:2.9.4 - https://tika.apache.org/tika-parser-pkg-module/)
+        * Apache Tika text parser module (org.apache.tika:tika-parser-text-module:2.9.4 - https://tika.apache.org/tika-parser-text-module/)
+        * Apache Tika WARC parser module (org.apache.tika:tika-parser-webarchive-module:2.9.4 - https://tika.apache.org/tika-parser-webarchive-module/)
+        * Apache Tika XML parser module (org.apache.tika:tika-parser-xml-module:2.9.4 - https://tika.apache.org/tika-parser-xml-module/)
+        * Apache Tika XMP commons (org.apache.tika:tika-parser-xmp-commons:2.9.4 - https://tika.apache.org/tika-parser-xmp-commons/)
+        * Apache Tika ZIP commons (org.apache.tika:tika-parser-zip-commons:2.9.4 - https://tika.apache.org/tika-parser-zip-commons/)
+        * Apache Tika standard parser package (org.apache.tika:tika-parsers-standard-package:2.9.4 - https://tika.apache.org/tika-parsers/tika-parsers-standard/tika-parsers-standard-package/)
+        * tomcat-embed-core (org.apache.tomcat.embed:tomcat-embed-core:10.1.40 - https://tomcat.apache.org/)
+        * tomcat-embed-el (org.apache.tomcat.embed:tomcat-embed-el:10.1.40 - https://tomcat.apache.org/)
+        * tomcat-embed-websocket (org.apache.tomcat.embed:tomcat-embed-websocket:10.1.40 - https://tomcat.apache.org/)
        * Apache Velocity - Engine (org.apache.velocity:velocity-engine-core:2.4.1 - http://velocity.apache.org/engine/devel/velocity-engine-core/)
        * Apache Velocity - JSR 223 Scripting (org.apache.velocity:velocity-engine-scripting:2.3 - http://velocity.apache.org/engine/devel/velocity-engine-scripting/)
        * Apache Velocity Tools - Generic tools (org.apache.velocity.tools:velocity-tools-generic:3.1 - https://velocity.apache.org/tools/devel/velocity-tools-generic/)
@@ -397,6 +402,11 @@ https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines
        * Javassist (org.javassist:javassist:3.30.2-GA - https://www.javassist.org/)
        * JBoss Logging 3 (org.jboss.logging:jboss-logging:3.6.1.Final - http://www.jboss.org)
        * JDOM (org.jdom:jdom2:2.0.6.1 - http://www.jdom.org)
+        * IntelliJ IDEA Annotations (org.jetbrains:annotations:13.0 - http://www.jetbrains.org)
+        * Kotlin Stdlib (org.jetbrains.kotlin:kotlin-stdlib:1.8.21 - https://kotlinlang.org/)
+        * Kotlin Stdlib Common (org.jetbrains.kotlin:kotlin-stdlib-common:1.8.21 - https://kotlinlang.org/)
+        * Kotlin Stdlib Jdk7 (org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.8.21 - https://kotlinlang.org/)
+        * Kotlin Stdlib Jdk8 (org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.8.21 - https://kotlinlang.org/)
        * Proj4J (org.locationtech.proj4j:proj4j:1.1.5 - https://github.com/locationtech/proj4j)
        * Spatial4J (org.locationtech.spatial4j:spatial4j:0.7 - https://projects.eclipse.org/projects/locationtech.spatial4j)
        * MockServer Java Client (org.mock-server:mockserver-client-java:5.15.0 - https://www.mock-server.com)
@@ -417,8 +427,6 @@ https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines
        * OpenSAML :: Storage API (org.opensaml:opensaml-storage-api:4.3.2 - http://shibboleth.net/opensaml-storage-api/)
        * OpenSAML :: XML Security API (org.opensaml:opensaml-xmlsec-api:4.3.2 - http://shibboleth.net/opensaml-xmlsec-api/)
        * OpenSAML :: XML Security Implementation (org.opensaml:opensaml-xmlsec-impl:4.3.2 - http://shibboleth.net/opensaml-xmlsec-impl/)
-        * parboiled-core (org.parboiled:parboiled-core:1.1.7 - http://parboiled.org)
-        * parboiled-java (org.parboiled:parboiled-java:1.1.7 - http://parboiled.org)
        * org.roaringbitmap:RoaringBitmap (org.roaringbitmap:RoaringBitmap:1.0.0 - https://github.com/RoaringBitmap/RoaringBitmap)
        * RRD4J (org.rrd4j:rrd4j:3.5 - https://github.com/rrd4j/rrd4j/)
        * Scala Library (org.scala-lang:scala-library:2.13.2 - https://www.scala-lang.org/)
@@ -428,50 +436,51 @@ https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines
        * scala-parser-combinators (org.scala-lang.modules:scala-parser-combinators_2.13:1.1.2 - http://www.scala-lang.org/)
        * scala-xml (org.scala-lang.modules:scala-xml_2.13:1.3.0 - http://www.scala-lang.org/)
        * JSONassert (org.skyscreamer:jsonassert:1.5.3 - https://github.com/skyscreamer/JSONassert)
-        * JCL 1.2 implemented over SLF4J (org.slf4j:jcl-over-slf4j:2.0.16 - http://www.slf4j.org)
-        * Spring AOP (org.springframework:spring-aop:6.2.4 - https://github.com/spring-projects/spring-framework)
-        * Spring Beans (org.springframework:spring-beans:6.2.4 - https://github.com/spring-projects/spring-framework)
-        * Spring Context (org.springframework:spring-context:6.2.4 - https://github.com/spring-projects/spring-framework)
-        * Spring Context Support (org.springframework:spring-context-support:6.2.4 - https://github.com/spring-projects/spring-framework)
-        * Spring Core (org.springframework:spring-core:6.2.4 - https://github.com/spring-projects/spring-framework)
-        * Spring Expression Language (SpEL) (org.springframework:spring-expression:6.2.4 - https://github.com/spring-projects/spring-framework)
-        * Spring Commons Logging Bridge (org.springframework:spring-jcl:6.2.4 - https://github.com/spring-projects/spring-framework)
-        * Spring JDBC (org.springframework:spring-jdbc:6.2.4 - https://github.com/spring-projects/spring-framework)
-        * Spring Object/Relational Mapping (org.springframework:spring-orm:6.2.4 - https://github.com/spring-projects/spring-framework)
-        * Spring TestContext Framework (org.springframework:spring-test:6.2.4 - https://github.com/spring-projects/spring-framework)
-        * Spring Transaction (org.springframework:spring-tx:6.2.4 - https://github.com/spring-projects/spring-framework)
-        * Spring Web (org.springframework:spring-web:6.2.4 - https://github.com/spring-projects/spring-framework)
-        * Spring Web MVC (org.springframework:spring-webmvc:6.2.4 - https://github.com/spring-projects/spring-framework)
-        * spring-boot (org.springframework.boot:spring-boot:3.4.3 - https://spring.io/projects/spring-boot)
-        * spring-boot-actuator (org.springframework.boot:spring-boot-actuator:3.4.3 - https://spring.io/projects/spring-boot)
-        * spring-boot-actuator-autoconfigure (org.springframework.boot:spring-boot-actuator-autoconfigure:3.4.3 - https://spring.io/projects/spring-boot)
-        * spring-boot-autoconfigure (org.springframework.boot:spring-boot-autoconfigure:3.4.3 - https://spring.io/projects/spring-boot)
-        * Spring Boot Configuration Processor (org.springframework.boot:spring-boot-configuration-processor:2.0.0.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-tools/spring-boot-configuration-processor)
-        * spring-boot-starter (org.springframework.boot:spring-boot-starter:3.4.3 - https://spring.io/projects/spring-boot)
-        * spring-boot-starter-actuator (org.springframework.boot:spring-boot-starter-actuator:3.4.3 - https://spring.io/projects/spring-boot)
-        * spring-boot-starter-aop (org.springframework.boot:spring-boot-starter-aop:3.4.3 - https://spring.io/projects/spring-boot)
-        * spring-boot-starter-cache (org.springframework.boot:spring-boot-starter-cache:3.4.3 - https://spring.io/projects/spring-boot)
-        * spring-boot-starter-data-rest (org.springframework.boot:spring-boot-starter-data-rest:3.4.3 - https://spring.io/projects/spring-boot)
-        * spring-boot-starter-json (org.springframework.boot:spring-boot-starter-json:3.4.3 - https://spring.io/projects/spring-boot)
-        * spring-boot-starter-log4j2 (org.springframework.boot:spring-boot-starter-log4j2:3.4.3 - https://spring.io/projects/spring-boot)
-        * spring-boot-starter-security (org.springframework.boot:spring-boot-starter-security:3.4.3 - https://spring.io/projects/spring-boot)
-        * spring-boot-starter-test (org.springframework.boot:spring-boot-starter-test:3.4.3 - https://spring.io/projects/spring-boot)
-        * spring-boot-starter-tomcat (org.springframework.boot:spring-boot-starter-tomcat:3.4.3 - https://spring.io/projects/spring-boot)
-        * spring-boot-starter-web (org.springframework.boot:spring-boot-starter-web:3.4.3 - https://spring.io/projects/spring-boot)
-        * spring-boot-test (org.springframework.boot:spring-boot-test:3.4.3 - https://spring.io/projects/spring-boot)
-        * spring-boot-test-autoconfigure (org.springframework.boot:spring-boot-test-autoconfigure:3.4.3 - https://spring.io/projects/spring-boot)
-        * Spring Data Core (org.springframework.data:spring-data-commons:3.4.3 - https://spring.io/projects/spring-data)
-        * Spring Data REST - Core (org.springframework.data:spring-data-rest-core:4.4.3 - https://www.spring.io/spring-data/spring-data-rest-parent/spring-data-rest-core)
-        * Spring Data REST - WebMVC (org.springframework.data:spring-data-rest-webmvc:4.4.3 - https://www.spring.io/spring-data/spring-data-rest-parent/spring-data-rest-webmvc)
+        * JCL 1.2 implemented over SLF4J (org.slf4j:jcl-over-slf4j:2.0.17 - http://www.slf4j.org)
+        * Spring AOP (org.springframework:spring-aop:6.2.7 - https://github.com/spring-projects/spring-framework)
+        * Spring Beans (org.springframework:spring-beans:6.2.7 - https://github.com/spring-projects/spring-framework)
+        * Spring Context (org.springframework:spring-context:6.2.7 - https://github.com/spring-projects/spring-framework)
+        * Spring Context Support (org.springframework:spring-context-support:6.2.7 - https://github.com/spring-projects/spring-framework)
+        * Spring Core (org.springframework:spring-core:6.2.7 - https://github.com/spring-projects/spring-framework)
+        * Spring Expression Language (SpEL) (org.springframework:spring-expression:6.2.7 - https://github.com/spring-projects/spring-framework)
+        * Spring Commons Logging Bridge (org.springframework:spring-jcl:6.2.7 - https://github.com/spring-projects/spring-framework)
+        * Spring JDBC (org.springframework:spring-jdbc:6.2.7 - https://github.com/spring-projects/spring-framework)
+        * Spring Object/Relational Mapping (org.springframework:spring-orm:6.2.7 - https://github.com/spring-projects/spring-framework)
+        * Spring TestContext Framework (org.springframework:spring-test:6.2.7 - https://github.com/spring-projects/spring-framework)
+        * Spring Transaction (org.springframework:spring-tx:6.2.7 - https://github.com/spring-projects/spring-framework)
+        * Spring Web (org.springframework:spring-web:6.2.7 - https://github.com/spring-projects/spring-framework)
+        * Spring Web MVC (org.springframework:spring-webmvc:6.2.7 - https://github.com/spring-projects/spring-framework)
+        * spring-boot (org.springframework.boot:spring-boot:3.4.5 - https://spring.io/projects/spring-boot)
+        * spring-boot-actuator (org.springframework.boot:spring-boot-actuator:3.4.5 - https://spring.io/projects/spring-boot)
+        * spring-boot-actuator-autoconfigure (org.springframework.boot:spring-boot-actuator-autoconfigure:3.4.5 - https://spring.io/projects/spring-boot)
+        * spring-boot-autoconfigure (org.springframework.boot:spring-boot-autoconfigure:3.4.5 - https://spring.io/projects/spring-boot)
+        * spring-boot-starter (org.springframework.boot:spring-boot-starter:3.4.5 - https://spring.io/projects/spring-boot)
+        * spring-boot-starter-actuator (org.springframework.boot:spring-boot-starter-actuator:3.4.5 - https://spring.io/projects/spring-boot)
+        * spring-boot-starter-aop (org.springframework.boot:spring-boot-starter-aop:3.4.5 - https://spring.io/projects/spring-boot)
+        * spring-boot-starter-cache (org.springframework.boot:spring-boot-starter-cache:3.4.5 - https://spring.io/projects/spring-boot)
+        * spring-boot-starter-data-rest (org.springframework.boot:spring-boot-starter-data-rest:3.4.5 - https://spring.io/projects/spring-boot)
+        * spring-boot-starter-json (org.springframework.boot:spring-boot-starter-json:3.4.5 - https://spring.io/projects/spring-boot)
+        * spring-boot-starter-log4j2 (org.springframework.boot:spring-boot-starter-log4j2:3.4.5 - https://spring.io/projects/spring-boot)
+        * spring-boot-starter-security (org.springframework.boot:spring-boot-starter-security:3.4.5 - https://spring.io/projects/spring-boot)
+        * spring-boot-starter-test (org.springframework.boot:spring-boot-starter-test:3.4.5 - https://spring.io/projects/spring-boot)
+        * spring-boot-starter-thymeleaf (org.springframework.boot:spring-boot-starter-thymeleaf:3.4.5 - https://spring.io/projects/spring-boot)
+        * spring-boot-starter-tomcat (org.springframework.boot:spring-boot-starter-tomcat:3.4.5 - https://spring.io/projects/spring-boot)
+        * spring-boot-starter-web (org.springframework.boot:spring-boot-starter-web:3.4.5 - https://spring.io/projects/spring-boot)
+        * spring-boot-test (org.springframework.boot:spring-boot-test:3.4.5 - https://spring.io/projects/spring-boot)
+        * spring-boot-test-autoconfigure (org.springframework.boot:spring-boot-test-autoconfigure:3.4.5 - https://spring.io/projects/spring-boot)
+        * Spring Data Core (org.springframework.data:spring-data-commons:3.4.5 - https://spring.io/projects/spring-data)
+        * Spring Data REST - Core (org.springframework.data:spring-data-rest-core:4.4.5 - https://www.spring.io/spring-data/spring-data-rest-parent/spring-data-rest-core)
+        * Spring Data REST - WebMVC (org.springframework.data:spring-data-rest-webmvc:4.4.5 - https://www.spring.io/spring-data/spring-data-rest-parent/spring-data-rest-webmvc)
        * Spring HATEOAS (org.springframework.hateoas:spring-hateoas:2.4.1 - https://github.com/spring-projects/spring-hateoas)
        * Spring Plugin - Core (org.springframework.plugin:spring-plugin-core:3.0.0 - https://github.com/spring-projects/spring-plugin/spring-plugin-core)
-        * spring-security-config (org.springframework.security:spring-security-config:6.4.3 - https://spring.io/projects/spring-security)
-        * spring-security-core (org.springframework.security:spring-security-core:6.4.4 - https://spring.io/projects/spring-security)
-        * spring-security-crypto (org.springframework.security:spring-security-crypto:6.4.4 - https://spring.io/projects/spring-security)
-        * spring-security-saml2-service-provider (org.springframework.security:spring-security-saml2-service-provider:6.4.4 - https://spring.io/projects/spring-security)
-        * spring-security-test (org.springframework.security:spring-security-test:6.4.4 - https://spring.io/projects/spring-security)
-        * spring-security-web (org.springframework.security:spring-security-web:6.4.4 - https://spring.io/projects/spring-security)
+        * spring-security-config (org.springframework.security:spring-security-config:6.4.5 - https://spring.io/projects/spring-security)
+        * spring-security-core (org.springframework.security:spring-security-core:6.4.5 - https://spring.io/projects/spring-security)
+        * spring-security-crypto (org.springframework.security:spring-security-crypto:6.4.5 - https://spring.io/projects/spring-security)
+        * spring-security-saml2-service-provider (org.springframework.security:spring-security-saml2-service-provider:6.4.5 - https://spring.io/projects/spring-security)
+        * spring-security-test (org.springframework.security:spring-security-test:6.4.5 - https://spring.io/projects/spring-security)
+        * spring-security-web (org.springframework.security:spring-security-web:6.4.5 - https://spring.io/projects/spring-security)
        * thymeleaf (org.thymeleaf:thymeleaf:3.1.3.RELEASE - http://www.thymeleaf.org/thymeleaf-lib/thymeleaf)
+        * thymeleaf-spring6 (org.thymeleaf:thymeleaf-spring6:3.1.3.RELEASE - http://www.thymeleaf.org/thymeleaf-lib/thymeleaf-spring6)
        * unbescape (org.unbescape:unbescape:1.1.6.RELEASE - http://www.unbescape.org)
        * snappy-java (org.xerial.snappy:snappy-java:1.1.10.1 - https://github.com/xerial/snappy-java)
        * xml-matchers (org.xmlmatchers:xml-matchers:0.10 - http://code.google.com/p/xml-matchers/)
@@ -509,7 +518,6 @@ https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines
        * asm-analysis (org.ow2.asm:asm-analysis:8.0.1 - http://asm.ow2.io/)
        * asm-commons (org.ow2.asm:asm-commons:8.0.1 - http://asm.ow2.io/)
        * asm-tree (org.ow2.asm:asm-tree:8.0.1 - http://asm.ow2.io/)
-        * ASM Util (org.ow2.asm:asm-util:5.0.3 - http://asm.objectweb.org/asm-util/)
        * PostgreSQL JDBC Driver (org.postgresql:postgresql:42.7.5 - https://jdbc.postgresql.org)
        * Reflections (org.reflections:reflections:0.9.12 - http://github.com/ronmamo/reflections)
        * JMatIO (org.tallison:jmatio:1.5 - https://github.com/tballison/jmatio)
@@ -578,14 +586,13 @@ https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines
        * System Rules (com.github.stefanbirkner:system-rules:1.19.0 - http://stefanbirkner.github.io/system-rules/)
        * H2 Database Engine (com.h2database:h2:2.3.232 - https://h2database.com)
        * Jakarta Annotations API (jakarta.annotation:jakarta.annotation-api:2.1.1 - https://projects.eclipse.org/projects/ee4j.ca)
-        * Jakarta Expression Language API (jakarta.el:jakarta.el-api:5.0.1 - https://projects.eclipse.org/projects/ee4j.el)
        * Jakarta Mail API (jakarta.mail:jakarta.mail-api:2.1.3 - https://projects.eclipse.org/projects/ee4j/jakarta.mail-api)
        * Jakarta Persistence API (jakarta.persistence:jakarta.persistence-api:3.1.0 - https://github.com/eclipse-ee4j/jpa-api)
        * Jakarta Servlet (jakarta.servlet:jakarta.servlet-api:6.1.0 - https://projects.eclipse.org/projects/ee4j.servlet)
        * jakarta.transaction API (jakarta.transaction:jakarta.transaction-api:2.0.1 - https://projects.eclipse.org/projects/ee4j.jta)
        * Jakarta RESTful WS API (jakarta.ws.rs:jakarta.ws.rs-api:3.1.0 - https://github.com/eclipse-ee4j/jaxrs-api)
        * JUnit (junit:junit:4.13.2 - http://junit.org)
-        * AspectJ Weaver (org.aspectj:aspectjweaver:1.9.22.1 - https://www.eclipse.org/aspectj/)
+        * AspectJ Weaver (org.aspectj:aspectjweaver:1.9.24 - https://www.eclipse.org/aspectj/)
        * Angus Mail default provider (org.eclipse.angus:jakarta.mail:2.0.3 - http://eclipse-ee4j.github.io/angus-mail/jakarta.mail)
        * Jetty :: Apache JSP Implementation (org.eclipse.jetty:apache-jsp:9.4.15.v20190215 - http://www.eclipse.org/jetty)
        * Apache :: JSTL module (org.eclipse.jetty:apache-jstl:9.4.15.v20190215 - http://tomcat.apache.org/taglibs/standard/)
@@ -663,8 +670,8 @@ https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines
        * Hibernate ORM - hibernate-jpamodelgen (org.hibernate.orm:hibernate-jpamodelgen:6.4.8.Final - https://hibernate.org/orm)
        * im4java (org.im4java:im4java:1.4.0 - http://sourceforge.net/projects/im4java/)
        * Javassist (org.javassist:javassist:3.30.2-GA - https://www.javassist.org/)
-        * Flying Saucer Core Renderer (org.xhtmlrenderer:flying-saucer-core:9.11.4 - http://code.google.com/p/flying-saucer/flying-saucer-core/)
-        * Flying Saucer PDF Rendering (org.xhtmlrenderer:flying-saucer-pdf:9.11.4 - http://code.google.com/p/flying-saucer/flying-saucer-pdf/)
+        * Flying Saucer Core Renderer (org.xhtmlrenderer:flying-saucer-core:9.12.0 - http://code.google.com/p/flying-saucer/flying-saucer-core/)
+        * Flying Saucer PDF Rendering (org.xhtmlrenderer:flying-saucer-pdf:9.12.0 - http://code.google.com/p/flying-saucer/flying-saucer-pdf/)
        * XOM (xom:xom:1.3.9 - https://xom.nu)

    Go License:
@@ -694,13 +701,13 @@ https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines
        * Bouncy Castle Provider (org.bouncycastle:bcprov-jdk18on:1.80 - https://www.bouncycastle.org/download/bouncy-castle-java/)
        * Bouncy Castle ASN.1 Extension and Utility APIs (org.bouncycastle:bcutil-jdk18on:1.80 - https://www.bouncycastle.org/download/bouncy-castle-java/)
        * org.brotli:dec (org.brotli:dec:0.1.2 - http://brotli.org/dec)
-        * Checker Qual (org.checkerframework:checker-qual:3.49.0 - https://checkerframework.org/)
+        * Checker Qual (org.checkerframework:checker-qual:3.49.3 - https://checkerframework.org/)
        * jersey-core-client (org.glassfish.jersey.core:jersey-client:3.1.10 - https://projects.eclipse.org/projects/ee4j.jersey/jersey-client)
        * jersey-inject-hk2 (org.glassfish.jersey.inject:jersey-hk2:3.1.10 - https://projects.eclipse.org/projects/ee4j.jersey/project/jersey-hk2)
        * jersey-media-multipart (org.glassfish.jersey.media:jersey-media-multipart:3.1.3 - https://projects.eclipse.org/projects/ee4j.jersey/project/jersey-media-multipart)
        * mockito-core (org.mockito:mockito-core:3.12.4 - https://github.com/mockito/mockito)
        * mockito-inline (org.mockito:mockito-inline:3.12.4 - https://github.com/mockito/mockito)
-        * SLF4J API Module (org.slf4j:slf4j-api:2.0.16 - http://www.slf4j.org)
+        * SLF4J API Module (org.slf4j:slf4j-api:2.0.17 - http://www.slf4j.org)
        * HAL Browser (org.webjars:hal-browser:ad9b865 - http://webjars.org)
        * toastr (org.webjars.bowergithub.codeseven:toastr:2.1.4 - http://webjars.org)
        * backbone (org.webjars.bowergithub.jashkenas:backbone:1.4.1 - https://www.webjars.org)
@@ -708,15 +715,15 @@ https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines
        * jquery (org.webjars.bowergithub.jquery:jquery-dist:3.7.1 - https://www.webjars.org)
        * urijs (org.webjars.bowergithub.medialize:uri.js:1.19.11 - https://www.webjars.org)
        * bootstrap (org.webjars.bowergithub.twbs:bootstrap:4.6.2 - https://www.webjars.org)
-        * core-js (org.webjars.npm:core-js:3.41.0 - https://www.webjars.org)
-        * @json-editor/json-editor (org.webjars.npm:json-editor__json-editor:2.15.1 - https://www.webjars.org)
+        * core-js (org.webjars.npm:core-js:3.42.0 - https://www.webjars.org)
+        * @json-editor/json-editor (org.webjars.npm:json-editor__json-editor:2.15.2 - https://www.webjars.org)

    Mozilla Public License:

        * juniversalchardet (com.github.albfernandez:juniversalchardet:2.5.0 - https://github.com/albfernandez/juniversalchardet)
        * openpdf (com.github.librepdf:openpdf:2.0.3 - https://github.com/LibrePDF/OpenPDF/openpdf)
        * H2 Database Engine (com.h2database:h2:2.3.232 - https://h2database.com)
-        * Saxon-HE (net.sf.saxon:Saxon-HE:9.8.0-14 - http://www.saxonica.com/)
+        * Saxon-HE (net.sf.saxon:Saxon-HE:9.9.1-8 - http://www.saxonica.com/)
        * Javassist (org.javassist:javassist:3.30.2-GA - https://www.javassist.org/)
        * Mozilla Rhino (org.mozilla:rhino:1.7.7.2 - https://developer.mozilla.org/en/Rhino)

--- a/README.md
+++ b/README.md
@@ -33,18 +33,18 @@ Prior versions of DSpace (v6.x and below) used two different UIs (XMLUI and JSPU
 Documentation for each release may be viewed online or downloaded via our [Documentation Wiki](https://wiki.lyrasis.org/display/DSDOC/).

 The latest DSpace Installation instructions are available at:
-https://wiki.lyrasis.org/display/DSDOC8x/Installing+DSpace
+https://wiki.lyrasis.org/display/DSDOC9x/Installing+DSpace

 Please be aware that, as a Java web application, DSpace requires a database (PostgreSQL)
 and a servlet container (usually Tomcat) in order to function.
 More information about these and all other prerequisites can be found in the Installation instructions above.

-## Running DSpace 8 in Docker
+## Running DSpace 9 in Docker

 NOTE: At this time, we do not have production-ready Docker images for DSpace.
 That said, we do have quick-start Docker Compose scripts for development or testing purposes.

-See [Running DSpace 8 with Docker Compose](dspace/src/main/docker-compose/README.md)
+See [Running DSpace 9 with Docker Compose](dspace/src/main/docker-compose/README.md)

 ## Contributing

--- a/checkstyle.xml
+++ b/checkstyle.xml
@@ -106,6 +106,9 @@ For more information on CheckStyle configurations below, see: http://checkstyle.
        <!-- Right braces should be on start of a new line (default value) -->
        <module name="RightCurly"/>

+        <!-- Enforce Java-style array declaration instead of C-style -->
+        <module name="ArrayTypeStyle"/>
+
        <!-- ##### Indentation / Whitespace requirements ##### -->
        <!-- Require 4-space indentation (default value) -->
        <module name="Indentation"/>
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -65,13 +65,12 @@ services:
  # DSpace PostgreSQL database container
  dspacedb:
    container_name: dspacedb
-    # Uses a custom Postgres image with pgcrypto installed
-    image: "${DOCKER_REGISTRY:-docker.io}/${DOCKER_OWNER:-dspace}/dspace-postgres-pgcrypto:${DSPACE_VER:-latest}"
-    build:
-      # Must build out of subdirectory to have access to install script for pgcrypto
-      context: ./dspace/src/main/docker/dspace-postgres-pgcrypto/
+    # Uses the base PostgreSQL image
+    image: "docker.io/postgres:${POSTGRES_VERSION:-15}"
    environment:
      PGDATA: /pgdata
+      POSTGRES_DB: dspace
+      POSTGRES_USER: dspace
      POSTGRES_PASSWORD: dspace
    networks:
      dspacenet:
--- a/dspace-api/pom.xml
+++ b/dspace-api/pom.xml
@@ -12,7 +12,7 @@
    <parent>
        <groupId>org.dspace</groupId>
        <artifactId>dspace-parent</artifactId>
-        <version>9.0-SNAPSHOT</version>
+        <version>10.0-SNAPSHOT</version>
        <relativePath>..</relativePath>
    </parent>

@@ -99,20 +99,6 @@
                </executions>
            </plugin>

-            <plugin>
-                <groupId>org.codehaus.mojo</groupId>
-                <artifactId>build-helper-maven-plugin</artifactId>
-                <version>3.6.0</version>
-                <executions>
-                    <execution>
-                        <phase>validate</phase>
-                        <goals>
-                            <goal>maven-version</goal>
-                        </goals>
-                    </execution>
-                </executions>
-            </plugin>
-
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>buildnumber-maven-plugin</artifactId>
@@ -500,10 +486,6 @@
            <groupId>jakarta.annotation</groupId>
            <artifactId>jakarta.annotation-api</artifactId>
        </dependency>
-        <dependency>
-            <groupId>jakarta.el</groupId>
-            <artifactId>jakarta.el-api</artifactId>
-        </dependency>
        <dependency>
            <groupId>jaxen</groupId>
            <artifactId>jaxen</artifactId>
@@ -738,7 +720,7 @@
        <dependency>
            <groupId>com.amazonaws</groupId>
            <artifactId>aws-java-sdk-s3</artifactId>
-            <version>1.12.782</version>
+            <version>1.12.791</version>
        </dependency>

        <!-- TODO: This may need to be replaced with the "orcid-model" artifact once this ticket is resolved:
@@ -779,7 +761,7 @@
        <dependency>
            <groupId>com.opencsv</groupId>
            <artifactId>opencsv</artifactId>
-            <version>5.10</version>
+            <version>5.12.0</version>
        </dependency>

        <!-- Email templating -->
@@ -792,7 +774,7 @@
        <dependency>
            <groupId>org.xmlunit</groupId>
            <artifactId>xmlunit-core</artifactId>
-            <version>2.10.0</version>
+            <version>2.10.4</version>
            <scope>test</scope>
        </dependency>

@@ -933,7 +915,7 @@
        <dependency>
            <groupId>org.xhtmlrenderer</groupId>
            <artifactId>flying-saucer-pdf</artifactId>
-            <version>9.12.0</version>
+            <version>9.13.3</version>
            <exclusions>
                <!-- Conflicts with Hibernate. Use version that is brought in via Hibernate -->
                <exclusion>
--- a/dspace-api/src/main/java/org/dspace/administer/RegistryImporter.java
+++ b/dspace-api/src/main/java/org/dspace/administer/RegistryImporter.java
@@ -10,7 +10,6 @@ package org.dspace.administer;
 import java.io.File;
 import java.io.IOException;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.TransformerException;
 import javax.xml.xpath.XPath;
@@ -18,6 +17,7 @@ import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpressionException;
 import javax.xml.xpath.XPathFactory;

+import org.dspace.app.util.XMLUtils;
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
@@ -49,8 +49,9 @@ public class RegistryImporter {
     */
    public static Document loadXML(String filename)
        throws IOException, ParserConfigurationException, SAXException {
-        DocumentBuilder builder = DocumentBuilderFactory.newInstance()
-                                                        .newDocumentBuilder();
+        // This XML builder will *not* disable external entities as XML
+        // registries are considered trusted content
+        DocumentBuilder builder = XMLUtils.getTrustedDocumentBuilder();

        Document document = builder.parse(new File(filename));

--- a/dspace-api/src/main/java/org/dspace/administer/RegistryLoader.java
+++ b/dspace-api/src/main/java/org/dspace/administer/RegistryLoader.java
@@ -13,7 +13,6 @@ import java.sql.SQLException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.TransformerException;
 import javax.xml.xpath.XPath;
@@ -29,6 +28,7 @@ import org.apache.commons.cli.Options;
 import org.apache.commons.cli.ParseException;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Logger;
+import org.dspace.app.util.XMLUtils;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.content.BitstreamFormat;
 import org.dspace.content.factory.ContentServiceFactory;
@@ -266,8 +266,9 @@ public class RegistryLoader {
     */
    private static Document loadXML(String filename) throws IOException,
        ParserConfigurationException, SAXException {
-        DocumentBuilder builder = DocumentBuilderFactory.newInstance()
-                                                        .newDocumentBuilder();
+        // This XML builder will *not* disable external entities as XML
+        // registries are considered trusted content
+        DocumentBuilder builder = XMLUtils.getTrustedDocumentBuilder();

        return builder.parse(new File(filename));
    }
@@ -351,4 +352,4 @@ public class RegistryLoader {

        return data;
    }
-}
+}
--- a/dspace-api/src/main/java/org/dspace/administer/StructBuilder.java
+++ b/dspace-api/src/main/java/org/dspace/administer/StructBuilder.java
@@ -27,7 +27,6 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.TransformerException;
 import javax.xml.xpath.XPath;
@@ -43,9 +42,11 @@ import org.apache.commons.cli.Option;
 import org.apache.commons.cli.Options;
 import org.apache.commons.cli.ParseException;
 import org.apache.commons.lang3.StringUtils;
+import org.dspace.app.util.XMLUtils;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.content.Collection;
 import org.dspace.content.Community;
+import org.dspace.content.DSpaceObject;
 import org.dspace.content.Item;
 import org.dspace.content.MetadataFieldName;
 import org.dspace.content.MetadataSchemaEnum;
@@ -53,6 +54,7 @@ import org.dspace.content.MetadataValue;
 import org.dspace.content.factory.ContentServiceFactory;
 import org.dspace.content.service.CollectionService;
 import org.dspace.content.service.CommunityService;
+import org.dspace.core.Constants;
 import org.dspace.core.Context;
 import org.dspace.eperson.factory.EPersonServiceFactory;
 import org.dspace.eperson.service.EPersonService;
@@ -169,6 +171,10 @@ public class StructBuilder {
                .desc("File to receive the structure map ('-' for standard out).")
                .hasArg().argName("output").required().build());

+        options.addOption(Option.builder("p").longOpt("parent")
+                .desc("Parent community or handle (optional)")
+                .hasArg().argName("parent").required(false).build());
+
        // Parse the command line.
        CommandLineParser parser = new DefaultParser();
        CommandLine line = null;
@@ -202,6 +208,11 @@ public class StructBuilder {
            outputStream = new FileOutputStream(output);
        }

+        String parentID = null;
+        if (line.hasOption('p')) {
+            parentID = line.getOptionValue('p');
+        }
+
        // create a context
        Context context = new Context();

@@ -214,6 +225,30 @@ public class StructBuilder {
            System.exit(1);
        }

+        // Resolve optional "parent community" ID or handle to a community
+        Community parent = null;
+        if (parentID != null) {
+            DSpaceObject dso = handleService.resolveToObject(context, parentID);
+            if (dso != null) {
+                if (dso.getType() == Constants.COMMUNITY) {
+                    parent = (Community) dso;
+                } else {
+                    System.out.println("The handle provided for the -p option does not resolve to a community. " +
+                        parentID + " is an object of type: " + Constants.typeText[dso.getType()]);
+                    System.exit(0);
+                }
+            } else {
+                // Not a handle, see if it is an ID
+                Community community = communityService.findByIdOrLegacyId(context, parentID);
+                if (community != null) {
+                    parent = community;
+                } else {
+                    System.out.println("The value provided for -p is not a valid community ID or handle: " + parentID);
+                    System.exit(0);
+                }
+            }
+        }
+
        // Export? Import?
        if (line.hasOption('x')) { // export
            exportStructure(context, outputStream);
@@ -233,7 +268,7 @@ public class StructBuilder {
            }

            boolean keepHandles = options.hasOption("k");
-            importStructure(context, inputStream, outputStream, keepHandles);
+            importStructure(context, inputStream, outputStream, parent, keepHandles);

            inputStream.close();
            outputStream.close();
@@ -250,6 +285,7 @@ public class StructBuilder {
     * @param context
     * @param input XML which describes the new communities and collections.
     * @param output input, annotated with the new objects' identifiers.
+     * @param parent Community beneath which to attach this structure
     * @param keepHandles true if Handles should be set from input.
     * @throws IOException
     * @throws ParserConfigurationException
@@ -258,7 +294,7 @@ public class StructBuilder {
     * @throws SQLException
     */
    static void importStructure(Context context, InputStream input,
-            OutputStream output, boolean keepHandles)
+            OutputStream output, Community parent, boolean keepHandles)
            throws IOException, ParserConfigurationException, SQLException,
            TransformerException, XPathExpressionException {

@@ -325,7 +361,7 @@ public class StructBuilder {
                                             .evaluate(document, XPathConstants.NODESET);

            // run the import starting with the top level communities
-            elements = handleCommunities(context, first, null, keepHandles);
+            elements = handleCommunities(context, first, parent, keepHandles);
        } catch (TransformerException ex) {
            System.err.format("Input content not understood:  %s%n", ex.getMessage());
            System.exit(1);
@@ -613,8 +649,8 @@ public class StructBuilder {
     */
    private static org.w3c.dom.Document loadXML(InputStream input)
        throws IOException, ParserConfigurationException, SAXException {
-        DocumentBuilder builder = DocumentBuilderFactory.newInstance()
-                                                        .newDocumentBuilder();
+        // This builder factory does not disable external DTD, entities, etc.
+        DocumentBuilder builder = XMLUtils.getTrustedDocumentBuilder();

        org.w3c.dom.Document document = builder.parse(input);

--- a/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/BulkAccessControl.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/BulkAccessControl.java
@@ -416,7 +416,7 @@ public class BulkAccessControl extends DSpaceRunnable<BulkAccessControlScriptCon
        discoverQuery.setQuery(query);
        discoverQuery.setStart(start);
        discoverQuery.setMaxResults(limit);
-
+        discoverQuery.setSortField("search.resourceid", DiscoverQuery.SORT_ORDER.asc);
        return discoverQuery;
    }

--- a/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataExportSearch.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataExportSearch.java
@@ -14,6 +14,8 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.UUID;

+import org.apache.commons.cli.DefaultParser;
+import org.apache.commons.cli.DefaultParser.Builder;
 import org.apache.commons.cli.ParseException;
 import org.dspace.content.Item;
 import org.dspace.content.MetadataDSpaceCsvExportServiceImpl;
@@ -167,4 +169,14 @@ public class MetadataExportSearch extends DSpaceRunnable<MetadataExportSearchScr
        }
        return scopeObj;
    }
+
+    @Override
+    protected StepResult parse(String[] args) throws ParseException {
+        commandLine = new DefaultParser().parse(getScriptConfiguration().getOptions(), args);
+        Builder builder = new DefaultParser().builder();
+        builder.setStripLeadingAndTrailingQuotes(false);
+        commandLine = builder.build().parse(getScriptConfiguration().getOptions(), args);
+        setup();
+        return StepResult.Continue;
+    }
 }
--- a/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataImport.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataImport.java
@@ -495,7 +495,7 @@ public class MetadataImport extends DSpaceRunnable<MetadataImportScriptConfigura

                // Check it has an owning collection
                List<String> collections = line.get("collection");
-                if (collections == null) {
+                if (collections == null || collections.isEmpty()) {
                    throw new MetadataImportException(
                        "New items must have a 'collection' assigned in the form of a handle");
                }
@@ -1143,12 +1143,12 @@ public class MetadataImport extends DSpaceRunnable<MetadataImportScriptConfigura
            }

            // look up the value and authority in solr
-            List<AuthorityValue> byValue = authorityValueService.findByValue(c, schema, element, qualifier, value);
+            List<AuthorityValue> byValue = authorityValueService.findByValue(schema, element, qualifier, value);
            AuthorityValue authorityValue = null;
            if (byValue.isEmpty()) {
                String toGenerate = fromAuthority.generateString() + value;
                String field = schema + "_" + element + (StringUtils.isNotBlank(qualifier) ? "_" + qualifier : "");
-                authorityValue = authorityValueService.generate(c, toGenerate, value, field);
+                authorityValue = authorityValueService.generate(toGenerate, value, field);
                dcv.setAuthority(toGenerate);
            } else {
                authorityValue = byValue.get(0);
@@ -1560,7 +1560,7 @@ public class MetadataImport extends DSpaceRunnable<MetadataImportScriptConfigura
                ContentServiceFactory.getInstance().getMetadataFieldService();
            int i = reference.indexOf(":");
            String mfValue = reference.substring(i + 1);
-            String mf[] = reference.substring(0, i).split("\\.");
+            String[] mf = reference.substring(0, i).split("\\.");
            if (mf.length < 2) {
                throw new MetadataImportException("Error in CSV row " + rowCount + ":\n" +
                                                      "Bad metadata field in reference: '" + reference
--- a/dspace-api/src/main/java/org/dspace/app/itemexport/ItemExportServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemexport/ItemExportServiceImpl.java
@@ -353,7 +353,7 @@ public class ItemExportServiceImpl implements ItemExportService {

    /**
     * Create the 'collections' file.  List handles of all Collections which
-     * contain this Item.  The "owning" Collection is listed first.
+     * contain this Item. The "owning" Collection is listed first.
     *
     * @param item list collections holding this Item.
     * @param destDir write the file here.
@@ -364,12 +364,14 @@ public class ItemExportServiceImpl implements ItemExportService {
        File outFile = new File(destDir, "collections");
        if (outFile.createNewFile()) {
            try (PrintWriter out = new PrintWriter(new FileWriter(outFile))) {
-                String ownerHandle = item.getOwningCollection().getHandle();
-                out.println(ownerHandle);
+                Collection owningCollection = item.getOwningCollection();
+                // The owning collection is null for workspace and workflow items
+                if (owningCollection != null) {
+                    out.println(owningCollection.getHandle());
+                }
                for (Collection collection : item.getCollections()) {
-                    String collectionHandle = collection.getHandle();
-                    if (!collectionHandle.equals(ownerHandle)) {
-                        out.println(collectionHandle);
+                    if (!collection.equals(owningCollection)) {
+                        out.println(collection.getHandle());
                    }
                }
            }
--- a/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImport.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImport.java
@@ -23,6 +23,7 @@ import java.util.UUID;

 import org.apache.commons.cli.ParseException;
 import org.apache.commons.io.FileUtils;
+import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.tika.Tika;
 import org.dspace.app.itemimport.factory.ItemImportServiceFactory;
@@ -334,33 +335,38 @@ public class ItemImport extends DSpaceRunnable<ItemImportScriptConfiguration> {
    protected void readZip(Context context, ItemImportService itemImportService) throws Exception {
        Optional<InputStream> optionalFileStream = Optional.empty();
        Optional<InputStream> validationFileStream = Optional.empty();
-        if (!remoteUrl) {
-            // manage zip via upload
-            optionalFileStream = handler.getFileStream(context, zipfilename);
-            validationFileStream = handler.getFileStream(context, zipfilename);
-        } else {
-            // manage zip via remote url
-            optionalFileStream = Optional.ofNullable(new URL(zipfilename).openStream());
-            validationFileStream = Optional.ofNullable(new URL(zipfilename).openStream());
-        }
-
-        if (validationFileStream.isPresent()) {
-            // validate zip file
-            if (validationFileStream.isPresent()) {
-                validateZip(validationFileStream.get());
+        try {
+            if (!remoteUrl) {
+                // manage zip via upload
+                optionalFileStream = handler.getFileStream(context, zipfilename);
+                validationFileStream = handler.getFileStream(context, zipfilename);
+            } else {
+                // manage zip via remote url
+                optionalFileStream = Optional.ofNullable(new URL(zipfilename).openStream());
+                validationFileStream = Optional.ofNullable(new URL(zipfilename).openStream());
            }

-            workFile = new File(itemImportService.getTempWorkDir() + File.separator
-                    + zipfilename + "-" + context.getCurrentUser().getID());
-            FileUtils.copyInputStreamToFile(optionalFileStream.get(), workFile);
-        } else {
-            throw new IllegalArgumentException(
-                    "Error reading file, the file couldn't be found for filename: " + zipfilename);
-        }
+            if (validationFileStream.isPresent()) {
+                // validate zip file
+                if (validationFileStream.isPresent()) {
+                    validateZip(validationFileStream.get());
+                }

-        workDir = new File(itemImportService.getTempWorkDir() + File.separator + TEMP_DIR
-                           + File.separator + context.getCurrentUser().getID());
-        sourcedir = itemImportService.unzip(workFile, workDir.getAbsolutePath());
+                workFile = new File(itemImportService.getTempWorkDir() + File.separator
+                        + zipfilename + "-" + context.getCurrentUser().getID());
+                FileUtils.copyInputStreamToFile(optionalFileStream.get(), workFile);
+            } else {
+                throw new IllegalArgumentException(
+                        "Error reading file, the file couldn't be found for filename: " + zipfilename);
+            }
+
+            workDir = new File(itemImportService.getTempWorkDir() + File.separator + TEMP_DIR
+                    + File.separator + context.getCurrentUser().getID());
+            sourcedir = itemImportService.unzip(workFile, workDir.getAbsolutePath());
+        } finally {
+            optionalFileStream.ifPresent(IOUtils::closeQuietly);
+            validationFileStream.ifPresent(IOUtils::closeQuietly);
+        }
    }

    /**
--- a/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImportCLI.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImportCLI.java
@@ -17,6 +17,7 @@ import java.util.Optional;
 import java.util.UUID;

 import org.apache.commons.io.FileUtils;
+import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.dspace.app.itemimport.service.ItemImportService;
 import org.dspace.content.Collection;
@@ -111,7 +112,11 @@ public class ItemImportCLI extends ItemImport {

                // validate zip file
                InputStream validationFileStream = new FileInputStream(myZipFile);
-                validateZip(validationFileStream);
+                try {
+                    validateZip(validationFileStream);
+                } finally {
+                    IOUtils.closeQuietly(validationFileStream);
+                }

                workDir = new File(itemImportService.getTempWorkDir() + File.separator + TEMP_DIR
                        + File.separator + context.getCurrentUser().getID());
@@ -120,22 +125,28 @@ public class ItemImportCLI extends ItemImport {
            } else {
                // manage zip via remote url
                Optional<InputStream> optionalFileStream = Optional.ofNullable(new URL(zipfilename).openStream());
-                if (optionalFileStream.isPresent()) {
-                    // validate zip file via url
-                    Optional<InputStream> validationFileStream = Optional.ofNullable(new URL(zipfilename).openStream());
-                    if (validationFileStream.isPresent()) {
-                        validateZip(validationFileStream.get());
-                    }
+                Optional<InputStream> validationFileStream = Optional.ofNullable(new URL(zipfilename).openStream());
+                try {
+                    if (optionalFileStream.isPresent()) {
+                        // validate zip file via url

-                    workFile = new File(itemImportService.getTempWorkDir() + File.separator
-                            + zipfilename + "-" + context.getCurrentUser().getID());
-                    FileUtils.copyInputStreamToFile(optionalFileStream.get(), workFile);
-                    workDir = new File(itemImportService.getTempWorkDir() + File.separator + TEMP_DIR
-                                       + File.separator + context.getCurrentUser().getID());
-                    sourcedir = itemImportService.unzip(workFile, workDir.getAbsolutePath());
-                } else {
-                    throw new IllegalArgumentException(
-                            "Error reading file, the file couldn't be found for filename: " + zipfilename);
+                        if (validationFileStream.isPresent()) {
+                            validateZip(validationFileStream.get());
+                        }
+
+                        workFile = new File(itemImportService.getTempWorkDir() + File.separator
+                                + zipfilename + "-" + context.getCurrentUser().getID());
+                        FileUtils.copyInputStreamToFile(optionalFileStream.get(), workFile);
+                        workDir = new File(itemImportService.getTempWorkDir() + File.separator + TEMP_DIR
+                                + File.separator + context.getCurrentUser().getID());
+                        sourcedir = itemImportService.unzip(workFile, workDir.getAbsolutePath());
+                    } else {
+                        throw new IllegalArgumentException(
+                                "Error reading file, the file couldn't be found for filename: " + zipfilename);
+                    }
+                } finally {
+                    optionalFileStream.ifPresent(IOUtils::closeQuietly);
+                    validationFileStream.ifPresent(IOUtils::closeQuietly);
                }
            }
        }
--- a/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImportServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImportServiceImpl.java
@@ -29,6 +29,7 @@ import java.io.InputStream;
 import java.io.OutputStream;
 import java.io.PrintWriter;
 import java.net.URL;
+import java.nio.file.Path;
 import java.sql.SQLException;
 import java.time.Instant;
 import java.time.LocalDateTime;
@@ -48,7 +49,6 @@ import java.util.UUID;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipFile;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.TransformerException;
 import javax.xml.xpath.XPath;
@@ -68,6 +68,7 @@ import org.apache.logging.log4j.Logger;
 import org.dspace.app.itemimport.service.ItemImportService;
 import org.dspace.app.util.LocalSchemaFilenameFilter;
 import org.dspace.app.util.RelationshipUtils;
+import org.dspace.app.util.XMLUtils;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.authorize.ResourcePolicy;
 import org.dspace.authorize.service.AuthorizeService;
@@ -180,6 +181,8 @@ public class ItemImportServiceImpl implements ItemImportService, InitializingBea
    @Autowired(required = true)
    protected MetadataValueService metadataValueService;

+    protected DocumentBuilder builder;
+
    protected String tempWorkDir;

    protected boolean isTest = false;
@@ -602,7 +605,7 @@ public class ItemImportServiceImpl implements ItemImportService, InitializingBea

        Item item = null;

-        String mf[] = metaKey.split("\\.");
+        String[] mf = metaKey.split("\\.");
        if (mf.length < 2) {
            throw new Exception("Bad metadata field in reference: '" + metaKey +
                "' (expected syntax is schema.element[.qualifier])");
@@ -743,15 +746,22 @@ public class ItemImportServiceImpl implements ItemImportService, InitializingBea
            myitem = wi.getItem();
        }

+        // normalize and validate path to make sure itemname doesn't contain path traversal
+        Path itemPath = new File(path + File.separatorChar + itemname + File.separatorChar)
+            .toPath().normalize();
+        if (!itemPath.startsWith(path)) {
+            throw new IOException("Illegal item metadata path: '" + itemPath);
+        }
+        // Normalization chops off the last separator, and we need to put it back
+        String itemPathDir = itemPath.toString() + File.separatorChar;
+
        // now fill out dublin core for item
-        loadMetadata(c, myitem, path + File.separatorChar + itemname
-            + File.separatorChar);
+        loadMetadata(c, myitem, itemPathDir);

        // and the bitstreams from the contents file
        // process contents file, add bistreams and bundles, return any
        // non-standard permissions
-        List<String> options = processContentsFile(c, myitem, path
-            + File.separatorChar + itemname, "contents");
+        List<String> options = processContentsFile(c, myitem, itemPathDir, "contents");

        if (useWorkflow) {
            // don't process handle file
@@ -769,8 +779,7 @@ public class ItemImportServiceImpl implements ItemImportService, InitializingBea
            }
        } else {
            // only process handle file if not using workflow system
-            String myhandle = processHandleFile(c, myitem, path
-                + File.separatorChar + itemname, "handle");
+            String myhandle = processHandleFile(c, myitem, itemPathDir, "handle");

            // put item in system
            if (!isTest) {
@@ -904,7 +913,7 @@ public class ItemImportServiceImpl implements ItemImportService, InitializingBea

        // Load any additional metadata schemas
        File folder = new File(path);
-        File file[] = folder.listFiles(metadataFileFilter);
+        File[] file = folder.listFiles(metadataFileFilter);
        for (int i = 0; i < file.length; i++) {
            loadDublinCore(c, myitem, file[i].getAbsolutePath());
        }
@@ -1002,6 +1011,34 @@ public class ItemImportServiceImpl implements ItemImportService, InitializingBea
        }
    }

+    /**
+     * Ensures a file path does not attempt to access files outside the designated parent directory.
+     *
+     * @param parentDir          The absolute path to the parent directory that should contain the file
+     * @param fileName           The name or path of the file to validate
+     * @throws IOException       If an error occurs while resolving canonical paths, or the file path attempts
+     *                           to access a location outside the parent directory
+     */
+    private void validateFilePath(String parentDir, String fileName) throws IOException {
+        File parent = new File(parentDir);
+        File file = new File(fileName);
+
+        // If the fileName is not an absolute path, we resolve it against the parentDir
+        if (!file.isAbsolute()) {
+            file = new File(parent, fileName);
+        }
+
+        String parentCanonicalPath = parent.getCanonicalPath();
+        String fileCanonicalPath = file.getCanonicalPath();
+
+        if (!fileCanonicalPath.startsWith(parentCanonicalPath)) {
+            log.error("File path outside of canonical root requested: fileCanonicalPath={} does not begin " +
+                "with parentCanonicalPath={}", fileCanonicalPath, parentCanonicalPath);
+            throw new IOException("Illegal file path '" + fileName + "' encountered. This references a path " +
+                "outside of the import package. Please see the system logs for more details.");
+        }
+    }
+
    /**
     * Read the collections file inside the item directory. If there
     * is one and it is not empty return a list of collections in
@@ -1202,6 +1239,7 @@ public class ItemImportServiceImpl implements ItemImportService, InitializingBea
                            sDescription = sDescription.replaceFirst("description:", "");
                        }

+                        validateFilePath(path, sFilePath);
                        registerBitstream(c, i, iAssetstore, sFilePath, sBundle, sDescription);
                        logInfo("\tRegistering Bitstream: " + sFilePath
                            + "\tAssetstore: " + iAssetstore
@@ -1415,6 +1453,7 @@ public class ItemImportServiceImpl implements ItemImportService, InitializingBea
            return;
        }

+        validateFilePath(path, fileName);
        String fullpath = path + File.separatorChar + fileName;

        // get an input stream
@@ -1426,11 +1465,11 @@ public class ItemImportServiceImpl implements ItemImportService, InitializingBea

        if (bundleName == null) {
            // is it license.txt?
-            if ("license.txt".equals(fileName)) {
-                newBundleName = "LICENSE";
+            if (Constants.LICENSE_BITSTREAM_NAME.equals(fileName)) {
+                newBundleName = Constants.LICENSE_BUNDLE_NAME;
            } else {
                // call it ORIGINAL
-                newBundleName = "ORIGINAL";
+                newBundleName = Constants.CONTENT_BUNDLE_NAME;
            }
        }

@@ -1494,11 +1533,11 @@ public class ItemImportServiceImpl implements ItemImportService, InitializingBea

        if (StringUtils.isBlank(bundleName)) {
            // is it license.txt?
-            if (bitstreamPath.endsWith("license.txt")) {
-                newBundleName = "LICENSE";
+            if (bitstreamPath.endsWith(Constants.LICENSE_BITSTREAM_NAME)) {
+                newBundleName = Constants.LICENSE_BUNDLE_NAME;
            } else {
                // call it ORIGINAL
-                newBundleName = "ORIGINAL";
+                newBundleName = Constants.CONTENT_BUNDLE_NAME;
            }
        }

@@ -1889,9 +1928,7 @@ public class ItemImportServiceImpl implements ItemImportService, InitializingBea
     */
    protected Document loadXML(String filename) throws IOException,
        ParserConfigurationException, SAXException {
-        DocumentBuilder builder = DocumentBuilderFactory.newInstance()
-                                                        .newDocumentBuilder();
-
+        DocumentBuilder builder = XMLUtils.getDocumentBuilder();
        return builder.parse(new File(filename));
    }

--- a/dspace-api/src/main/java/org/dspace/app/itemupdate/AddBitstreamsAction.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemupdate/AddBitstreamsAction.java
@@ -27,6 +27,7 @@ import org.dspace.content.Item;
 import org.dspace.content.factory.ContentServiceFactory;
 import org.dspace.content.service.BitstreamFormatService;
 import org.dspace.content.service.InstallItemService;
+import org.dspace.core.Constants;
 import org.dspace.core.Context;
 import org.dspace.eperson.Group;
 import org.dspace.eperson.factory.EPersonServiceFactory;
@@ -138,10 +139,10 @@ public class AddBitstreamsAction extends UpdateBitstreamsAction {
        String newBundleName = ce.bundlename;

        if (ce.bundlename == null) { // should be required but default convention established
-            if (ce.filename.equals("license.txt")) {
-                newBundleName = "LICENSE";
+            if (ce.filename.equals(Constants.LICENSE_BITSTREAM_NAME)) {
+                newBundleName = Constants.LICENSE_BUNDLE_NAME;
            } else {
-                newBundleName = "ORIGINAL";
+                newBundleName = Constants.CONTENT_BUNDLE_NAME;
            }
        }
        ItemUpdate.pr("  Bitstream " + ce.filename + " to be added to bundle: " + newBundleName);
--- a/dspace-api/src/main/java/org/dspace/app/itemupdate/ItemArchive.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemupdate/ItemArchive.java
@@ -23,8 +23,6 @@ import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
 import java.util.UUID;
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerConfigurationException;
@@ -33,6 +31,7 @@ import javax.xml.transform.TransformerFactory;

 import org.apache.logging.log4j.Logger;
 import org.dspace.app.util.LocalSchemaFilenameFilter;
+import org.dspace.app.util.XMLUtils;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.content.DSpaceObject;
 import org.dspace.content.Item;
@@ -52,7 +51,6 @@ public class ItemArchive {

    public static final String DUBLIN_CORE_XML = "dublin_core.xml";

-    protected static DocumentBuilder builder = null;
    protected Transformer transformer = null;

    protected List<DtoMetadata> dtomList = null;
@@ -95,14 +93,14 @@ public class ItemArchive {
        InputStream is = null;
        try {
            is = new FileInputStream(new File(dir, DUBLIN_CORE_XML));
-            itarch.dtomList = MetadataUtilities.loadDublinCore(getDocumentBuilder(), is);
+            itarch.dtomList = MetadataUtilities.loadDublinCore(XMLUtils.getDocumentBuilder(), is);

            //The code to search for local schema files was copied from org.dspace.app.itemimport
            // .ItemImportServiceImpl.java
-            File file[] = dir.listFiles(new LocalSchemaFilenameFilter());
+            File[] file = dir.listFiles(new LocalSchemaFilenameFilter());
            for (int i = 0; i < file.length; i++) {
                is = new FileInputStream(file[i]);
-                itarch.dtomList.addAll(MetadataUtilities.loadDublinCore(getDocumentBuilder(), is));
+                itarch.dtomList.addAll(MetadataUtilities.loadDublinCore(XMLUtils.getDocumentBuilder(), is));
            }
        } finally {
            if (is != null) {
@@ -126,14 +124,6 @@ public class ItemArchive {
        return itarch;
    }

-    protected static DocumentBuilder getDocumentBuilder()
-        throws ParserConfigurationException {
-        if (builder == null) {
-            builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
-        }
-        return builder;
-    }
-
    /**
     * Getter for Transformer
     *
@@ -318,7 +308,7 @@ public class ItemArchive {

        try {
            out = new FileOutputStream(new File(dir, "dublin_core.xml"));
-            Document doc = MetadataUtilities.writeDublinCore(getDocumentBuilder(), undoDtomList);
+            Document doc = MetadataUtilities.writeDublinCore(XMLUtils.getDocumentBuilder(), undoDtomList);
            MetadataUtilities.writeDocument(doc, getTransformer(), out);

            // if undo has delete bitstream
--- a/dspace-api/src/main/java/org/dspace/app/launcher/ScriptLauncher.java
+++ b/dspace-api/src/main/java/org/dspace/app/launcher/ScriptLauncher.java
@@ -19,6 +19,7 @@ import java.util.TreeMap;
 import org.apache.commons.cli.ParseException;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.dspace.app.util.XMLUtils;
 import org.dspace.core.Context;
 import org.dspace.scripts.DSpaceRunnable;
 import org.dspace.scripts.DSpaceRunnable.StepResult;
@@ -314,7 +315,7 @@ public class ScriptLauncher {
        String config = kernelImpl.getConfigurationService().getProperty("dspace.dir") +
            System.getProperty("file.separator") + "config" +
            System.getProperty("file.separator") + "launcher.xml";
-        SAXBuilder saxBuilder = new SAXBuilder();
+        SAXBuilder saxBuilder = XMLUtils.getSAXBuilder();
        Document doc = null;
        try {
            doc = saxBuilder.build(config);
--- a/dspace-api/src/main/java/org/dspace/app/mediafilter/BrandedPreviewJPEGFilter.java
+++ b/dspace-api/src/main/java/org/dspace/app/mediafilter/BrandedPreviewJPEGFilter.java
@@ -7,9 +7,7 @@
 */
 package org.dspace.app.mediafilter;

-import java.awt.image.BufferedImage;
 import java.io.InputStream;
-import javax.imageio.ImageIO;

 import org.dspace.content.Item;
 import org.dspace.services.ConfigurationService;
@@ -63,27 +61,20 @@ public class BrandedPreviewJPEGFilter extends MediaFilter {
    @Override
    public InputStream getDestinationStream(Item currentItem, InputStream source, boolean verbose)
        throws Exception {
-        // read in bitstream's image
-        BufferedImage buf = ImageIO.read(source);
-
        // get config params
        ConfigurationService configurationService
                = DSpaceServicesFactory.getInstance().getConfigurationService();
-        float xmax = (float) configurationService
-            .getIntProperty("webui.preview.maxwidth");
-        float ymax = (float) configurationService
-            .getIntProperty("webui.preview.maxheight");
-        boolean blurring = (boolean) configurationService
-            .getBooleanProperty("webui.preview.blurring");
-        boolean hqscaling = (boolean) configurationService
-            .getBooleanProperty("webui.preview.hqscaling");
+        int xmax = configurationService.getIntProperty("webui.preview.maxwidth");
+        int ymax = configurationService.getIntProperty("webui.preview.maxheight");
+        boolean blurring = configurationService.getBooleanProperty("webui.preview.blurring");
+        boolean hqscaling = configurationService.getBooleanProperty("webui.preview.hqscaling");
        int brandHeight = configurationService.getIntProperty("webui.preview.brand.height");
        String brandFont = configurationService.getProperty("webui.preview.brand.font");
        int brandFontPoint = configurationService.getIntProperty("webui.preview.brand.fontpoint");

        JPEGFilter jpegFilter = new JPEGFilter();
-        return jpegFilter
-            .getThumbDim(currentItem, buf, verbose, xmax, ymax, blurring, hqscaling, brandHeight, brandFontPoint,
-                         brandFont);
+        return jpegFilter.getThumb(
+                currentItem, source, verbose, xmax, ymax, blurring, hqscaling, brandHeight, brandFontPoint, brandFont
+        );
    }
 }
--- a/dspace-api/src/main/java/org/dspace/app/mediafilter/ImageMagickThumbnailFilter.java
+++ b/dspace-api/src/main/java/org/dspace/app/mediafilter/ImageMagickThumbnailFilter.java
@@ -14,7 +14,7 @@ import java.io.InputStream;
 import java.util.regex.Pattern;
 import java.util.regex.PatternSyntaxException;

-import org.apache.pdfbox.pdmodel.PDDocument;
+import org.apache.pdfbox.Loader;
 import org.apache.pdfbox.pdmodel.PDPage;
 import org.apache.pdfbox.pdmodel.common.PDRectangle;
 import org.dspace.content.Bitstream;
@@ -153,8 +153,8 @@ public abstract class ImageMagickThumbnailFilter extends MediaFilter {
        // the CropBox is missing or empty because pdfbox will set it to the
        // same size as the MediaBox if it doesn't exist. Also note that we
        // only need to check the first page, since that's what we use for
-        // generating the thumbnail (PDDocument uses a zero-based index).
-        PDPage pdfPage = PDDocument.load(f).getPage(0);
+        // generating the thumbnail (PDPage uses a zero-based index).
+        PDPage pdfPage = Loader.loadPDF(f).getPage(0);
        PDRectangle pdfPageMediaBox = pdfPage.getMediaBox();
        PDRectangle pdfPageCropBox = pdfPage.getCropBox();

--- a/dspace-api/src/main/java/org/dspace/app/mediafilter/JPEGFilter.java
+++ b/dspace-api/src/main/java/org/dspace/app/mediafilter/JPEGFilter.java
@@ -8,19 +8,32 @@
 package org.dspace.app.mediafilter;

 import java.awt.Color;
+import java.awt.Dimension;
 import java.awt.Font;
 import java.awt.Graphics2D;
 import java.awt.RenderingHints;
 import java.awt.Transparency;
+import java.awt.geom.AffineTransform;
 import java.awt.image.BufferedImage;
 import java.awt.image.BufferedImageOp;
 import java.awt.image.ConvolveOp;
 import java.awt.image.Kernel;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
 import java.io.InputStream;
 import javax.imageio.ImageIO;

+import com.drew.imaging.ImageMetadataReader;
+import com.drew.imaging.ImageProcessingException;
+import com.drew.metadata.Metadata;
+import com.drew.metadata.MetadataException;
+import com.drew.metadata.exif.ExifIFD0Directory;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.dspace.content.Item;
 import org.dspace.services.ConfigurationService;
 import org.dspace.services.factory.DSpaceServicesFactory;
@@ -33,6 +46,8 @@ import org.dspace.services.factory.DSpaceServicesFactory;
 * @author Jason Sherman jsherman@usao.edu
 */
 public class JPEGFilter extends MediaFilter implements SelfRegisterInputFormats {
+    private static final Logger log = LogManager.getLogger(JPEGFilter.class);
+
    @Override
    public String getFilteredName(String oldFilename) {
        return oldFilename + ".jpg";
@@ -62,6 +77,115 @@ public class JPEGFilter extends MediaFilter implements SelfRegisterInputFormats
        return "Generated Thumbnail";
    }

+    /**
+     * Gets the rotation angle from image's metadata using ImageReader.
+     * This method consumes the InputStream, so you need to be careful to don't reuse the same InputStream after
+     * computing the rotation angle.
+     *
+     * @param buf InputStream of the image file
+     * @return Rotation angle in degrees (0, 90, 180, or 270)
+     */
+    public static int getImageRotationUsingImageReader(InputStream buf) {
+        try {
+            Metadata metadata = ImageMetadataReader.readMetadata(buf);
+            ExifIFD0Directory directory = metadata.getFirstDirectoryOfType(ExifIFD0Directory.class);
+            if (directory != null && directory.containsTag(ExifIFD0Directory.TAG_ORIENTATION)) {
+                return convertRotationToDegrees(directory.getInt(ExifIFD0Directory.TAG_ORIENTATION));
+            }
+        } catch (MetadataException | ImageProcessingException | IOException e) {
+            log.error("Error reading image metadata", e);
+        }
+        return 0;
+    }
+
+    public static int convertRotationToDegrees(int valueNode) {
+        // Common orientation values:
+        // 1 = Normal (0°)
+        // 6 = Rotated 90° CW
+        // 3 = Rotated 180°
+        // 8 = Rotated 270° CW
+        switch (valueNode) {
+            case 6:
+                return 90;
+            case 3:
+                return 180;
+            case 8:
+                return 270;
+            default:
+                return 0;
+        }
+    }
+
+    /**
+     * Rotates an image by the specified angle
+     *
+     * @param image The original image
+     * @param angle The rotation angle in degrees
+     * @return Rotated image
+     */
+    public static BufferedImage rotateImage(BufferedImage image, int angle) {
+        if (angle == 0) {
+            return image;
+        }
+
+        double radians = Math.toRadians(angle);
+        double sin = Math.abs(Math.sin(radians));
+        double cos = Math.abs(Math.cos(radians));
+
+        int newWidth = (int) Math.round(image.getWidth() * cos + image.getHeight() * sin);
+        int newHeight = (int) Math.round(image.getWidth() * sin + image.getHeight() * cos);
+
+        BufferedImage rotated = new BufferedImage(newWidth, newHeight, image.getType());
+        Graphics2D g2d = rotated.createGraphics();
+        AffineTransform at = new AffineTransform();
+
+        at.translate(newWidth / 2, newHeight / 2);
+        at.rotate(radians);
+        at.translate(-image.getWidth() / 2, -image.getHeight() / 2);
+
+        g2d.setTransform(at);
+        g2d.drawImage(image, 0, 0, null);
+        g2d.dispose();
+
+        return rotated;
+    }
+
+    /**
+     * Calculates scaled dimension while maintaining aspect ratio
+     *
+     * @param imgSize  Original image dimensions
+     * @param boundary Maximum allowed dimensions
+     * @return New dimensions that fit within boundary while preserving aspect ratio
+     */
+    private Dimension getScaledDimension(Dimension imgSize, Dimension boundary) {
+
+        int originalWidth = imgSize.width;
+        int originalHeight = imgSize.height;
+        int boundWidth = boundary.width;
+        int boundHeight = boundary.height;
+        int newWidth = originalWidth;
+        int newHeight = originalHeight;
+
+
+        // First check if we need to scale width
+        if (originalWidth > boundWidth) {
+            // Scale width to fit
+            newWidth = boundWidth;
+            // Scale height to maintain aspect ratio
+            newHeight = (newWidth * originalHeight) / originalWidth;
+        }
+
+        // Then check if we need to scale even with the new height
+        if (newHeight > boundHeight) {
+            // Scale height to fit instead
+            newHeight = boundHeight;
+            newWidth = (newHeight * originalWidth) / originalHeight;
+        }
+
+        return new Dimension(newWidth, newHeight);
+    }
+
+
    /**
     * @param currentItem item
     * @param source      source input stream
@@ -72,10 +196,65 @@ public class JPEGFilter extends MediaFilter implements SelfRegisterInputFormats
    @Override
    public InputStream getDestinationStream(Item currentItem, InputStream source, boolean verbose)
        throws Exception {
-        // read in bitstream's image
-        BufferedImage buf = ImageIO.read(source);
+        return getThumb(currentItem, source, verbose);
+    }

-        return getThumb(currentItem, buf, verbose);
+    public InputStream getThumb(Item currentItem, InputStream source, boolean verbose)
+        throws Exception {
+        // get config params
+        final ConfigurationService configurationService
+            = DSpaceServicesFactory.getInstance().getConfigurationService();
+        int xmax = configurationService
+            .getIntProperty("thumbnail.maxwidth");
+        int ymax = configurationService
+            .getIntProperty("thumbnail.maxheight");
+        boolean blurring = (boolean) configurationService
+            .getBooleanProperty("thumbnail.blurring");
+        boolean hqscaling = (boolean) configurationService
+            .getBooleanProperty("thumbnail.hqscaling");
+
+        return getThumb(currentItem, source, verbose, xmax, ymax, blurring, hqscaling, 0, 0, null);
+    }
+
+    protected InputStream getThumb(
+        Item currentItem,
+        InputStream source,
+        boolean verbose,
+        int xmax,
+        int ymax,
+        boolean blurring,
+        boolean hqscaling,
+        int brandHeight,
+        int brandFontPoint,
+        String brandFont
+    ) throws Exception {
+
+        File tempFile = File.createTempFile("temp", ".tmp");
+        tempFile.deleteOnExit();
+
+        // Write to temp file
+        try (FileOutputStream fos = new FileOutputStream(tempFile)) {
+            byte[] buffer = new byte[4096];
+            int len;
+            while ((len = source.read(buffer)) != -1) {
+                fos.write(buffer, 0, len);
+            }
+        }
+
+        int rotation = 0;
+        try (FileInputStream fis = new FileInputStream(tempFile)) {
+            rotation = getImageRotationUsingImageReader(fis);
+        }
+
+        try (FileInputStream fis = new FileInputStream(tempFile)) {
+            // read in bitstream's image
+            BufferedImage buf = ImageIO.read(fis);
+
+            return getThumbDim(
+                currentItem, buf, verbose, xmax, ymax, blurring, hqscaling, brandHeight, brandFontPoint, rotation,
+                brandFont
+            );
+        }
    }

    public InputStream getThumb(Item currentItem, BufferedImage buf, boolean verbose)
@@ -83,25 +262,28 @@ public class JPEGFilter extends MediaFilter implements SelfRegisterInputFormats
        // get config params
        final ConfigurationService configurationService
                = DSpaceServicesFactory.getInstance().getConfigurationService();
-        float xmax = (float) configurationService
+        int xmax = configurationService
            .getIntProperty("thumbnail.maxwidth");
-        float ymax = (float) configurationService
+        int ymax = configurationService
            .getIntProperty("thumbnail.maxheight");
        boolean blurring = (boolean) configurationService
            .getBooleanProperty("thumbnail.blurring");
        boolean hqscaling = (boolean) configurationService
            .getBooleanProperty("thumbnail.hqscaling");

-        return getThumbDim(currentItem, buf, verbose, xmax, ymax, blurring, hqscaling, 0, 0, null);
+        return getThumbDim(currentItem, buf, verbose, xmax, ymax, blurring, hqscaling, 0, 0, 0, null);
    }

-    public InputStream getThumbDim(Item currentItem, BufferedImage buf, boolean verbose, float xmax, float ymax,
+    public InputStream getThumbDim(Item currentItem, BufferedImage buf, boolean verbose, int xmax, int ymax,
                                   boolean blurring, boolean hqscaling, int brandHeight, int brandFontPoint,
-                                   String brandFont)
+                                   int rotation, String brandFont)
        throws Exception {
-        // now get the image dimensions
-        float xsize = (float) buf.getWidth(null);
-        float ysize = (float) buf.getHeight(null);
+
+        // Rotate the image if needed
+        BufferedImage correctedImage = rotateImage(buf, rotation);
+
+        int xsize = correctedImage.getWidth();
+        int ysize = correctedImage.getHeight();

        // if verbose flag is set, print out dimensions
        // to STDOUT
@@ -109,86 +291,63 @@ public class JPEGFilter extends MediaFilter implements SelfRegisterInputFormats
            System.out.println("original size: " + xsize + "," + ysize);
        }

-        // scale by x first if needed
-        if (xsize > xmax) {
-            // calculate scaling factor so that xsize * scale = new size (max)
-            float scale_factor = xmax / xsize;
+        // Calculate new dimensions while maintaining aspect ratio
+        Dimension newDimension = getScaledDimension(
+            new Dimension(xsize, ysize),
+            new Dimension(xmax, ymax)
+        );

-            // if verbose flag is set, print out extracted text
-            // to STDOUT
-            if (verbose) {
-                System.out.println("x scale factor: " + scale_factor);
-            }
-
-            // now reduce x size
-            // and y size
-            xsize = xsize * scale_factor;
-            ysize = ysize * scale_factor;
-
-            // if verbose flag is set, print out extracted text
-            // to STDOUT
-            if (verbose) {
-                System.out.println("size after fitting to maximum width: " + xsize + "," + ysize);
-            }
-        }
-
-        // scale by y if needed
-        if (ysize > ymax) {
-            float scale_factor = ymax / ysize;
-
-            // now reduce x size
-            // and y size
-            xsize = xsize * scale_factor;
-            ysize = ysize * scale_factor;
-        }

        // if verbose flag is set, print details to STDOUT
        if (verbose) {
-            System.out.println("size after fitting to maximum height: " + xsize + ", "
-                                   + ysize);
+            System.out.println("size after fitting to maximum height: " + newDimension.width + ", "
+                                   + newDimension.height);
        }

+        xsize = newDimension.width;
+        ysize = newDimension.height;
+
        // create an image buffer for the thumbnail with the new xsize, ysize
-        BufferedImage thumbnail = new BufferedImage((int) xsize, (int) ysize,
-                                                    BufferedImage.TYPE_INT_RGB);
+        BufferedImage thumbnail = new BufferedImage(xsize, ysize, BufferedImage.TYPE_INT_RGB);

        // Use blurring if selected in config.
        // a little blur before scaling does wonders for keeping moire in check.
        if (blurring) {
            // send the buffered image off to get blurred.
-            buf = getBlurredInstance((BufferedImage) buf);
+            correctedImage = getBlurredInstance(correctedImage);
        }

        // Use high quality scaling method if selected in config.
        // this has a definite performance penalty.
        if (hqscaling) {
            // send the buffered image off to get an HQ downscale.
-            buf = getScaledInstance((BufferedImage) buf, (int) xsize, (int) ysize,
-                                    (Object) RenderingHints.VALUE_INTERPOLATION_BICUBIC, (boolean) true);
+            correctedImage = getScaledInstance(correctedImage, xsize, ysize,
+                                               RenderingHints.VALUE_INTERPOLATION_BICUBIC, true);
        }

        // now render the image into the thumbnail buffer
        Graphics2D g2d = thumbnail.createGraphics();
-        g2d.drawImage(buf, 0, 0, (int) xsize, (int) ysize, null);
+        g2d.drawImage(correctedImage, 0, 0, xsize, ysize, null);

        if (brandHeight != 0) {
            ConfigurationService configurationService
                    = DSpaceServicesFactory.getInstance().getConfigurationService();
-            Brand brand = new Brand((int) xsize, brandHeight, new Font(brandFont, Font.PLAIN, brandFontPoint), 5);
+            Brand brand = new Brand(xsize, brandHeight, new Font(brandFont, Font.PLAIN, brandFontPoint), 5);
            BufferedImage brandImage = brand.create(configurationService.getProperty("webui.preview.brand"),
                                                    configurationService.getProperty("webui.preview.brand.abbrev"),
                                                    currentItem == null ? "" : "hdl:" + currentItem.getHandle());

-            g2d.drawImage(brandImage, (int) 0, (int) ysize, (int) xsize, (int) 20, null);
+            g2d.drawImage(brandImage, 0, ysize, xsize, 20, null);
        }

+
+        ByteArrayInputStream bais;
        // now create an input stream for the thumbnail buffer and return it
-        ByteArrayOutputStream baos = new ByteArrayOutputStream();
-
-        ImageIO.write(thumbnail, "jpeg", baos);
-
-        // now get the array
-        ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());
+        try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
+            ImageIO.write(thumbnail, "jpeg", baos);
+            // now get the array
+            bais = new ByteArrayInputStream(baos.toByteArray());
+        }

        return bais; // hope this gets written out before its garbage collected!
    }
--- a/dspace-api/src/main/java/org/dspace/app/mediafilter/PDFBoxThumbnail.java
+++ b/dspace-api/src/main/java/org/dspace/app/mediafilter/PDFBoxThumbnail.java
@@ -11,6 +11,8 @@ import java.awt.image.BufferedImage;
 import java.io.InputStream;

 import org.apache.logging.log4j.Logger;
+import org.apache.pdfbox.Loader;
+import org.apache.pdfbox.io.RandomAccessReadBuffer;
 import org.apache.pdfbox.pdmodel.PDDocument;
 import org.apache.pdfbox.pdmodel.encryption.InvalidPasswordException;
 import org.apache.pdfbox.rendering.PDFRenderer;
@@ -71,7 +73,7 @@ public class PDFBoxThumbnail extends MediaFilter {
        BufferedImage buf;

        // Render the page image.
-        try ( PDDocument doc = PDDocument.load(source); ) {
+        try ( PDDocument doc = Loader.loadPDF(new RandomAccessReadBuffer(source)); ) {
            PDFRenderer renderer = new PDFRenderer(doc);
            buf = renderer.renderImage(0);
        } catch (InvalidPasswordException ex) {
@@ -81,6 +83,7 @@ public class PDFBoxThumbnail extends MediaFilter {

        // Generate thumbnail derivative and return as IO stream.
        JPEGFilter jpegFilter = new JPEGFilter();
+
        return jpegFilter.getThumb(currentItem, buf, verbose);
    }
 }
--- a/dspace-api/src/main/java/org/dspace/app/mediafilter/TikaTextExtractionFilter.java
+++ b/dspace-api/src/main/java/org/dspace/app/mediafilter/TikaTextExtractionFilter.java
@@ -38,6 +38,8 @@ import org.xml.sax.SAXException;
 public class TikaTextExtractionFilter
    extends MediaFilter {
    private final static Logger log = LogManager.getLogger();
+    private static final int DEFAULT_MAX_CHARS = 100_000;
+    private static final int DEFAULT_MAX_ARRAY = 1_000_000;

    @Override
    public String getFilteredName(String oldFilename) {
@@ -71,15 +73,16 @@ public class TikaTextExtractionFilter
        }

        // Not using temporary file. We'll use Tika's default in-memory parsing.
-        // Get maximum characters to extract. Default is 100,000 chars, which is also Tika's default setting.
        String extractedText;
-        int maxChars = configurationService.getIntProperty("textextractor.max-chars", 100_000);
+        // Get maximum characters to extract. Default is 100,000 chars, which is also Tika's default setting.
+        int maxChars = configurationService.getIntProperty("textextractor.max-chars", DEFAULT_MAX_CHARS);
+        // Get maximum size of structure that Tika will try to buffer.
+        int maxArray = configurationService.getIntProperty("textextractor.max-array", DEFAULT_MAX_ARRAY);
+        IOUtils.setByteArrayMaxOverride(maxArray);
        try {
            // Use Tika to extract text from input. Tika will automatically detect the file type.
            Tika tika = new Tika();
            tika.setMaxStringLength(maxChars); // Tell Tika the maximum number of characters to extract
-            IOUtils.setByteArrayMaxOverride(
-                    configurationService.getIntProperty("textextractor.max-array", 100_000_000));
            extractedText = tika.parseToString(source);
        } catch (IOException e) {
            System.err.format("Unable to extract text from bitstream in Item %s%n", currentItem.getID().toString());
@@ -141,7 +144,7 @@ public class TikaTextExtractionFilter
                @Override
                public void characters(char[] ch, int start, int length) throws SAXException {
                    try {
-                        writer.append(new String(ch), start, length);
+                        writer.append(new String(ch, start, length));
                    } catch (IOException e) {
                        String errorMsg = String.format("Could not append to temporary file at %s " +
                                                            "when performing text extraction",
@@ -159,7 +162,7 @@ public class TikaTextExtractionFilter
                @Override
                public void ignorableWhitespace(char[] ch, int start, int length) throws SAXException {
                    try {
-                        writer.append(new String(ch), start, length);
+                        writer.append(new String(ch, start, length));
                    } catch (IOException e) {
                        String errorMsg = String.format("Could not append to temporary file at %s " +
                                                            "when performing text extraction",
@@ -170,6 +173,10 @@ public class TikaTextExtractionFilter
                }
            });

+            ConfigurationService configurationService = DSpaceServicesFactory.getInstance().getConfigurationService();
+            int maxArray = configurationService.getIntProperty("textextractor.max-array", DEFAULT_MAX_ARRAY);
+            IOUtils.setByteArrayMaxOverride(maxArray);
+
            AutoDetectParser parser = new AutoDetectParser();
            Metadata metadata = new Metadata();
            // parse our source InputStream using the above custom handler
--- a/dspace-api/src/main/java/org/dspace/app/packager/Packager.java
+++ b/dspace-api/src/main/java/org/dspace/app/packager/Packager.java
@@ -224,7 +224,7 @@ public class Packager {
            } else {
                //otherwise, display list of valid packager types
                System.out.println("\nAvailable Submission Package (SIP) types:");
-                String pn[] = pluginService
+                String[] pn = pluginService
                    .getAllPluginNames(PackageIngester.class);
                for (int i = 0; i < pn.length; ++i) {
                    System.out.println("  " + pn[i]);
@@ -274,7 +274,7 @@ public class Packager {
            // process
            pkgParams.setRecursiveModeEnabled(true);
        }
-        String files[] = line.getArgs();
+        String[] files = line.getArgs();
        if (files.length > 0) {
            sourceFile = files[0];
        }
@@ -282,9 +282,9 @@ public class Packager {
            myPackager.submit = false;
        }
        if (line.hasOption('o')) {
-            String popt[] = line.getOptionValues('o');
+            String[] popt = line.getOptionValues('o');
            for (int i = 0; i < popt.length; ++i) {
-                String pair[] = popt[i].split("\\=", 2);
+                String[] pair = popt[i].split("\\=", 2);
                if (pair.length == 2) {
                    pkgParams.addProperty(pair[0].trim(), pair[1].trim());
                } else if (pair.length == 1) {
@@ -383,7 +383,7 @@ public class Packager {
            }

            // validate each parent arg (if any)
-            DSpaceObject parentObjs[] = null;
+            DSpaceObject[] parentObjs = null;
            if (parents != null) {
                System.out.println("Destination parents:");

@@ -461,7 +461,7 @@ public class Packager {
     * @throws PackageException      if packaging error
     */
    protected void ingest(Context context, PackageIngester sip, PackageParameters pkgParams, String sourceFile,
-                          DSpaceObject parentObjs[])
+                          DSpaceObject[] parentObjs)
        throws IOException, SQLException, FileNotFoundException, AuthorizeException, CrosswalkException,
        PackageException {
        // make sure we have an input file
--- a/dspace-api/src/main/java/org/dspace/app/sfx/SFXFileReaderServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/app/sfx/SFXFileReaderServiceImpl.java
@@ -18,6 +18,7 @@ import javax.xml.parsers.ParserConfigurationException;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Logger;
 import org.dspace.app.sfx.service.SFXFileReaderService;
+import org.dspace.app.util.XMLUtils;
 import org.dspace.content.DCPersonName;
 import org.dspace.content.Item;
 import org.dspace.content.MetadataValue;
@@ -79,9 +80,9 @@ public class SFXFileReaderServiceImpl implements SFXFileReaderService {
        log.info("Parsing XML file... " + fileName);
        DocumentBuilder docBuilder;
        Document doc = null;
-        DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
-        docBuilderFactory.setIgnoringElementContentWhitespace(true);
        try {
+            DocumentBuilderFactory docBuilderFactory = XMLUtils.getDocumentBuilderFactory();
+            docBuilderFactory.setIgnoringElementContentWhitespace(true);
            docBuilder = docBuilderFactory.newDocumentBuilder();
        } catch (ParserConfigurationException e) {
            log.error("Wrong parser configuration: " + e.getMessage());
--- a/dspace-api/src/main/java/org/dspace/app/sitemap/GenerateSitemaps.java
+++ b/dspace-api/src/main/java/org/dspace/app/sitemap/GenerateSitemaps.java
@@ -7,6 +7,8 @@
 */
 package org.dspace.app.sitemap;

+import static org.dspace.discovery.SearchUtils.RESOURCE_TYPE_FIELD;
+
 import java.io.File;
 import java.io.IOException;
 import java.sql.SQLException;
@@ -188,7 +190,8 @@ public class GenerateSitemaps {
        try {
            DiscoverQuery discoveryQuery = new DiscoverQuery();
            discoveryQuery.setMaxResults(PAGE_SIZE);
-            discoveryQuery.setQuery("search.resourcetype:Community");
+            discoveryQuery.setQuery("*:*");
+            discoveryQuery.addFilterQueries(RESOURCE_TYPE_FIELD + ":Community");
            do {
                discoveryQuery.setStart(offset);
                DiscoverResult discoverResult = searchService.search(c, discoveryQuery);
@@ -212,7 +215,8 @@ public class GenerateSitemaps {
            offset = 0;
            discoveryQuery = new DiscoverQuery();
            discoveryQuery.setMaxResults(PAGE_SIZE);
-            discoveryQuery.setQuery("search.resourcetype:Collection");
+            discoveryQuery.setQuery("*:*");
+            discoveryQuery.addFilterQueries(RESOURCE_TYPE_FIELD + ":Collection");
            do {
                discoveryQuery.setStart(offset);
                DiscoverResult discoverResult = searchService.search(c, discoveryQuery);
@@ -236,7 +240,8 @@ public class GenerateSitemaps {
            offset = 0;
            discoveryQuery = new DiscoverQuery();
            discoveryQuery.setMaxResults(PAGE_SIZE);
-            discoveryQuery.setQuery("search.resourcetype:Item");
+            discoveryQuery.setQuery("*:*");
+            discoveryQuery.addFilterQueries(RESOURCE_TYPE_FIELD + ":Item");
            discoveryQuery.addSearchField("search.entitytype");
            do {

--- a/dspace-api/src/main/java/org/dspace/app/solrdatabaseresync/SolrDatabaseResyncCli.java
+++ b/dspace-api/src/main/java/org/dspace/app/solrdatabaseresync/SolrDatabaseResyncCli.java
@@ -99,7 +99,8 @@ public class SolrDatabaseResyncCli extends DSpaceRunnable<SolrDatabaseResyncCliS

    private void performStatusUpdate(Context context) throws SearchServiceException, SolrServerException, IOException {
        SolrQuery solrQuery = new SolrQuery();
-        solrQuery.setQuery(STATUS_FIELD + ":" + STATUS_FIELD_PREDB);
+        solrQuery.setQuery("*:*");
+        solrQuery.addFilterQuery(STATUS_FIELD + ":" + STATUS_FIELD_PREDB);
        solrQuery.addFilterQuery(SearchUtils.RESOURCE_TYPE_FIELD + ":" + IndexableItem.TYPE);
        String dateRangeFilter = SearchUtils.LAST_INDEXED_FIELD + ":[* TO " + maxTime + "]";
        logDebugAndOut("Date range filter used; " + dateRangeFilter);
--- a/dspace-api/src/main/java/org/dspace/app/suggestion/runnable/PublicationLoaderRunnable.java
+++ b/dspace-api/src/main/java/org/dspace/app/suggestion/runnable/PublicationLoaderRunnable.java
@@ -119,8 +119,11 @@ public class PublicationLoaderRunnable
            DiscoverResultItemIterator researchers = findResearchers();
            while (researchers.hasNext()) {
                Item researcher = researchers.next();
+                researcher = context.reloadEntity(researcher);
                publicationLoader.importRecords(context, researcher);
                setLastImportMetadataValue(researcher);
+                context.commit();
+                context.uncacheEntity(researcher);
            }
        } finally {
            context.restoreAuthSystemState();
--- a/dspace-api/src/main/java/org/dspace/app/util/DCInputsReader.java
+++ b/dspace-api/src/main/java/org/dspace/app/util/DCInputsReader.java
@@ -15,7 +15,6 @@ import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.FactoryConfigurationError;

 import org.apache.commons.lang3.StringUtils;
@@ -118,15 +117,17 @@ public class DCInputsReader {
        formDefns = new HashMap<String, List<List<Map<String, String>>>>();
        valuePairs = new HashMap<String, List<String>>();

-        String uri = "file:" + new File(fileName).getAbsolutePath();
+        File inputFile = new File(fileName);
+        String inputFileDir = inputFile.toPath().normalize().getParent().toString();
+
+        String uri = "file:" + inputFile.getAbsolutePath();

        try {
-            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-            factory.setValidating(false);
-            factory.setIgnoringComments(true);
-            factory.setIgnoringElementContentWhitespace(true);
-
-            DocumentBuilder db = factory.newDocumentBuilder();
+            // This document builder will *not* disable external
+            // entities as they can be useful in managing large forms, but
+            // it will restrict them to be within the directory that the
+            // current input form XML file exists (or a sub-directory)
+            DocumentBuilder db = XMLUtils.getTrustedDocumentBuilder(inputFileDir);
            Document doc = db.parse(uri);
            doNodes(doc);
            checkValues();
--- a/dspace-api/src/main/java/org/dspace/app/util/InitializeEntities.java
+++ b/dspace-api/src/main/java/org/dspace/app/util/InitializeEntities.java
@@ -11,7 +11,6 @@ import java.io.File;
 import java.io.IOException;
 import java.sql.SQLException;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;

 import org.apache.commons.cli.CommandLine;
@@ -139,8 +138,9 @@ public class InitializeEntities {
    private void parseXMLToRelations(Context context, String fileLocation) throws AuthorizeException {
        try {
            File fXmlFile = new File(fileLocation);
-            DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
-            DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
+            // This XML builder will allow external entities, so the relationship types XML should
+            // be considered trusted by administrators
+            DocumentBuilder dBuilder = XMLUtils.getTrustedDocumentBuilder();
            Document doc = dBuilder.parse(fXmlFile);

            doc.getDocumentElement().normalize();
--- a/dspace-api/src/main/java/org/dspace/app/util/MetadataExposureServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/app/util/MetadataExposureServiceImpl.java
@@ -132,7 +132,7 @@ public class MetadataExposureServiceImpl implements MetadataExposureService {
                if (key.startsWith(CONFIG_PREFIX)) {
                    if (configurationService.getBooleanProperty(key, true)) {
                        String mdField = key.substring(CONFIG_PREFIX.length());
-                        String segment[] = mdField.split("\\.", 3);
+                        String[] segment = mdField.split("\\.", 3);

                        // got schema.element.qualifier
                        if (segment.length == 3) {
--- a/dspace-api/src/main/java/org/dspace/app/util/SubmissionConfigReader.java
+++ b/dspace-api/src/main/java/org/dspace/app/util/SubmissionConfigReader.java
@@ -16,7 +16,6 @@ import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.FactoryConfigurationError;

 import org.apache.commons.lang3.StringUtils;
@@ -170,13 +169,10 @@ public class SubmissionConfigReader {
        String uri = "file:" + new File(fileName).getAbsolutePath();

        try {
-            DocumentBuilderFactory factory = DocumentBuilderFactory
-                .newInstance();
-            factory.setValidating(false);
-            factory.setIgnoringComments(true);
-            factory.setIgnoringElementContentWhitespace(true);
-
-            DocumentBuilder db = factory.newDocumentBuilder();
+            // This document builder factory will *not* disable external
+            // entities as they can be useful in managing large forms, but
+            // it will restrict them to the config dir containing submission definitions
+            DocumentBuilder db = XMLUtils.getTrustedDocumentBuilder(configDir);
            Document doc = db.parse(uri);
            doNodes(doc);
        } catch (FactoryConfigurationError fe) {
@@ -732,4 +728,4 @@ public class SubmissionConfigReader {
        }
        return results;
    }
-}
+}
--- a/dspace-api/src/main/java/org/dspace/app/util/SyndicationFeed.java
+++ b/dspace-api/src/main/java/org/dspace/app/util/SyndicationFeed.java
@@ -113,7 +113,7 @@ public class SyndicationFeed {
        configurationService.getProperty("webui.feed.item.date", defaultDateField);

    // metadata field for Item description in entry:
-    private static final String descriptionFields[] =
+    private static final String[] descriptionFields =
        DSpaceServicesFactory.getInstance().getConfigurationService()
                             .getArrayProperty("webui.feed.item.description", defaultDescriptionFields);

--- a/dspace-api/src/main/java/org/dspace/app/util/XMLUtils.java
+++ b/dspace-api/src/main/java/org/dspace/app/util/XMLUtils.java
@@ -7,12 +7,26 @@
 */
 package org.dspace.app.util;

+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.stream.XMLInputFactory;

 import org.apache.commons.lang3.StringUtils;
+import org.jdom2.input.SAXBuilder;
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;

 /**
 * Simple class to read information from small XML using DOM manipulation
@@ -161,4 +175,195 @@ public class XMLUtils {
        }
        return result;
    }
+
+    /**
+     * Initialize and return a javax DocumentBuilderFactory with NO security
+     * applied. This is intended only for internal, administrative/configuration
+     * use where external entities and other dangerous features are actually
+     * purposefully included.
+     * The method here is tiny, but may be expanded with other features like
+     * whitespace handling, and calling this method name helps to document
+     * the fact that the caller knows it is trusting the XML source / factory.
+     *
+     * @return document builder factory to generate new builders
+     * @throws ParserConfigurationException
+     */
+    public static DocumentBuilderFactory getTrustedDocumentBuilderFactory()
+            throws ParserConfigurationException {
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        return factory;
+    }
+
+    /**
+     * Initialize and return the javax DocumentBuilderFactory with some basic security
+     * applied to avoid XXE attacks and other unwanted content inclusion
+     * @return document builder factory to generate new builders
+     * @throws ParserConfigurationException
+     */
+    public static DocumentBuilderFactory getDocumentBuilderFactory()
+            throws ParserConfigurationException {
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        // No DOCTYPE / DTDs
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        // No external general entities
+        factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        // No external parameter entities
+        factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        // No external DTDs
+        factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        // Even if entities somehow get defined, they will not be expanded
+        factory.setExpandEntityReferences(false);
+        // Disable "XInclude" markup processing
+        factory.setXIncludeAware(false);
+
+        return factory;
+    }
+
+    /**
+     * Initialize and return a javax DocumentBuilder with less security
+     * applied. This is intended only for internal, administrative/configuration
+     * use where external entities and other dangerous features are actually
+     * purposefully included, but are only allowed from specified paths, e.g.
+     * dspace.dir or some other path specified by the java caller.
+     * The method here is tiny, but may be expanded with other features like
+     * whitespace handling, and calling this method name helps to document
+     * the fact that the caller knows it is trusting the XML source / builder
+     * <p>
+     * If no allowedPaths are passed, then all external entities are rejected
+     *
+     * @return document builder with no security features set
+     * @throws ParserConfigurationException if the builder can not be configured
+     */
+    public static DocumentBuilder getTrustedDocumentBuilder(String... allowedPaths)
+            throws ParserConfigurationException {
+        DocumentBuilderFactory factory = getTrustedDocumentBuilderFactory();
+        factory.setValidating(false);
+        factory.setIgnoringComments(true);
+        factory.setIgnoringElementContentWhitespace(true);
+        DocumentBuilder builder = factory.newDocumentBuilder();
+        builder.setEntityResolver(new PathRestrictedEntityResolver(allowedPaths));
+        return factory.newDocumentBuilder();
+    }
+
+    /**
+     * Initialize and return the javax DocumentBuilder with some basic security applied
+     * to avoid XXE attacks and other unwanted content inclusion
+     * @return document builder for use in XML parsing
+     * @throws ParserConfigurationException if the builder can not be configured
+     */
+    public static DocumentBuilder getDocumentBuilder()
+            throws ParserConfigurationException {
+        return getDocumentBuilderFactory().newDocumentBuilder();
+    }
+
+    /**
+     * Initialize and return the SAX document builder with some basic security applied
+     * to avoid XXE attacks and other unwanted content inclusion
+     * @return SAX document builder for use in XML parsing
+     */
+    public static SAXBuilder getSAXBuilder() {
+        return getSAXBuilder(false);
+    }
+
+    /**
+     * Initialize and return the SAX document builder with some basic security applied
+     * to avoid XXE attacks and other unwanted content inclusion
+     * @param validate whether to use JDOM XSD validation
+     * @return SAX document builder for use in XML parsing
+     */
+    public static SAXBuilder getSAXBuilder(boolean validate) {
+        SAXBuilder saxBuilder = new SAXBuilder();
+        if (validate) {
+            saxBuilder.setValidation(true);
+        }
+        // No DOCTYPE / DTDs
+        saxBuilder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        // No external general entities
+        saxBuilder.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        // No external parameter entities
+        saxBuilder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        // No external DTDs
+        saxBuilder.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        // Don't expand entities
+        saxBuilder.setExpandEntities(false);
+
+        return saxBuilder;
+    }
+
+    /**
+     * Initialize and return the Java XML Input Factory with some basic security applied
+     * to avoid XXE attacks and other unwanted content inclusion
+     * @return XML input factory for use in XML parsing
+     */
+    public static XMLInputFactory getXMLInputFactory() {
+        XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
+        xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+
+        return xmlInputFactory;
+    }
+
+    /**
+     * This entity resolver accepts one or more path strings in its
+     * constructor and throws a SAXException if the entity systemID
+     * is not within the allowed path (or a subdirectory).
+     * If no parameters are passed, then this effectively disallows
+     * any external entity resolution.
+     */
+    public static class PathRestrictedEntityResolver implements EntityResolver {
+        private final List<String> allowedBasePaths;
+
+        public PathRestrictedEntityResolver(String... allowedBasePaths) {
+            this.allowedBasePaths = Arrays.asList(allowedBasePaths);
+        }
+
+        @Override
+        public InputSource resolveEntity(String publicId, String systemId)
+                throws SAXException, IOException {
+
+            if (systemId == null) {
+                return null;
+            }
+
+            String filePath;
+            if (systemId.startsWith("file://")) {
+                filePath = systemId.substring(7);
+            } else if (systemId.startsWith("file:")) {
+                filePath = systemId.substring(5);
+            } else if (!systemId.contains("://")) {
+                filePath = systemId;
+            } else {
+                throw new SAXException("External resources not allowed: " + systemId +
+                        ". Only local file paths are permitted.");
+            }
+
+            Path resolvedPath;
+            try {
+                resolvedPath = Paths.get(filePath).toAbsolutePath().normalize();
+            } catch (Exception e) {
+                throw new SAXException("Invalid path: " + systemId, e);
+            }
+
+            boolean isAllowed = false;
+            for (String basePath : allowedBasePaths) {
+                Path allowedPath = Paths.get(basePath).toAbsolutePath().normalize();
+                if (resolvedPath.startsWith(allowedPath)) {
+                    isAllowed = true;
+                    break;
+                }
+            }
+
+            if (!isAllowed) {
+                throw new SAXException("Access denied to path: " + resolvedPath);
+            }
+
+            File file = resolvedPath.toFile();
+            if (!file.exists() || !file.canRead()) {
+                throw new SAXException("File not found or not readable: " + resolvedPath);
+            }
+
+            return new InputSource(new FileInputStream(file));
+        }
+    }
+
+
 }
--- a/dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java
+++ b/dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java
@@ -535,7 +535,7 @@ public class LDAPAuthentication implements AuthenticationMethod {
                            resultDN = (sr.getName() + "," + ldap_search_context);
                        }

-                        String attlist[] = {ldap_email_field, ldap_givenname_field,
+                        String[] attlist = {ldap_email_field, ldap_givenname_field,
                            ldap_surname_field, ldap_phone_field, ldap_group_field};
                        Attributes atts = sr.getAttributes();
                        Attribute att;
@@ -743,7 +743,7 @@ public class LDAPAuthentication implements AuthenticationMethod {
            // groupmap contains the mapping of LDAP groups to DSpace groups
            // outer loop with the DSpace groups
            while (groupMap != null) {
-                String t[] = groupMap.split(":");
+                String[] t = groupMap.split(":");
                String ldapSearchString = t[0];
                String dspaceGroupName = t[1];

--- a/dspace-api/src/main/java/org/dspace/authority/AuthorityValueServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/authority/AuthorityValueServiceImpl.java
@@ -20,8 +20,6 @@ import org.apache.solr.client.solrj.response.QueryResponse;
 import org.apache.solr.common.SolrDocument;
 import org.dspace.authority.service.AuthorityValueService;
 import org.dspace.content.authority.SolrAuthority;
-import org.dspace.core.Context;
-import org.dspace.core.LogHelper;
 import org.springframework.beans.factory.annotation.Autowired;

 /**
@@ -36,7 +34,7 @@ public class AuthorityValueServiceImpl implements AuthorityValueService {

    private final Logger log = org.apache.logging.log4j.LogManager.getLogger(AuthorityValueServiceImpl.class);

-    @Autowired(required = true)
+    @Autowired
    protected AuthorityTypes authorityTypes;

    protected AuthorityValueServiceImpl() {
@@ -44,7 +42,7 @@ public class AuthorityValueServiceImpl implements AuthorityValueService {
    }

    @Override
-    public AuthorityValue generate(Context context, String authorityKey, String content, String field) {
+    public AuthorityValue generate(String authorityKey, String content, String field) {
        AuthorityValue nextValue = null;

        nextValue = generateRaw(authorityKey, content, field);
@@ -55,7 +53,7 @@ public class AuthorityValueServiceImpl implements AuthorityValueService {
            if (StringUtils.isBlank(authorityKey)) {
                // An existing metadata without authority is being indexed
                // If there is an exact match in the index, reuse it before adding a new one.
-                List<AuthorityValue> byValue = findByExactValue(context, field, content);
+                List<AuthorityValue> byValue = findByExactValue(field, content);
                if (byValue != null && !byValue.isEmpty()) {
                    authorityKey = byValue.get(0).getId();
                } else {
@@ -118,71 +116,70 @@ public class AuthorityValueServiceImpl implements AuthorityValueService {
    /**
     * Item.ANY does not work here.
     *
-     * @param context     Context
     * @param authorityID authority id
     * @return AuthorityValue
     */
    @Override
-    public AuthorityValue findByUID(Context context, String authorityID) {
+    public AuthorityValue findByUID(String authorityID) {
        //Ensure that if we use the full identifier to match on
        String queryString = "id:\"" + authorityID + "\"";
-        List<AuthorityValue> findings = find(context, queryString);
+        List<AuthorityValue> findings = find(queryString);
        return findings.size() > 0 ? findings.get(0) : null;
    }

    @Override
-    public List<AuthorityValue> findByValue(Context context, String field, String value) {
+    public List<AuthorityValue> findByValue(String field, String value) {
        String queryString = "value:" + value + " AND field:" + field;
-        return find(context, queryString);
+        return find(queryString);
    }

    @Override
-    public AuthorityValue findByOrcidID(Context context, String orcid_id) {
+    public AuthorityValue findByOrcidID(String orcid_id) {
        String queryString = "orcid_id:" + orcid_id;
-        List<AuthorityValue> findings = find(context, queryString);
+        List<AuthorityValue> findings = find(queryString);
        return findings.size() > 0 ? findings.get(0) : null;
    }

    @Override
-    public List<AuthorityValue> findByExactValue(Context context, String field, String value) {
+    public List<AuthorityValue> findByExactValue(String field, String value) {
        String queryString = "value:\"" + value + "\" AND field:" + field;
-        return find(context, queryString);
+        return find(queryString);
    }

    @Override
-    public List<AuthorityValue> findByValue(Context context, String schema, String element, String qualifier,
+    public List<AuthorityValue> findByValue(String schema, String element, String qualifier,
                                            String value) {
        String field = fieldParameter(schema, element, qualifier);
-        return findByValue(context, field, value);
+        return findByValue(field, value);
    }

    @Override
-    public List<AuthorityValue> findByName(Context context, String schema, String element, String qualifier,
+    public List<AuthorityValue> findByName(String schema, String element, String qualifier,
                                           String name) {
        String field = fieldParameter(schema, element, qualifier);
        String queryString = "first_name:" + name + " OR last_name:" + name + " OR name_variant:" + name + " AND " +
            "field:" + field;
-        return find(context, queryString);
+        return find(queryString);
    }

    @Override
-    public List<AuthorityValue> findByAuthorityMetadata(Context context, String schema, String element,
+    public List<AuthorityValue> findByAuthorityMetadata(String schema, String element,
                                                        String qualifier, String value) {
        String field = fieldParameter(schema, element, qualifier);
        String queryString = "all_Labels:" + value + " AND field:" + field;
-        return find(context, queryString);
+        return find(queryString);
    }

    @Override
-    public List<AuthorityValue> findOrcidHolders(Context context) {
+    public List<AuthorityValue> findOrcidHolders() {
        String queryString = "orcid_id:*";
-        return find(context, queryString);
+        return find(queryString);
    }

    @Override
-    public List<AuthorityValue> findAll(Context context) {
+    public List<AuthorityValue> findAll() {
        String queryString = "*:*";
-        return find(context, queryString);
+        return find(queryString);
    }

    @Override
@@ -204,7 +201,7 @@ public class AuthorityValueServiceImpl implements AuthorityValueService {
        return fromAuthority;
    }

-    protected List<AuthorityValue> find(Context context, String queryString) {
+    protected List<AuthorityValue> find(String queryString) {
        List<AuthorityValue> findings = new ArrayList<AuthorityValue>();
        try {
            SolrQuery solrQuery = new SolrQuery();
@@ -220,8 +217,7 @@ public class AuthorityValueServiceImpl implements AuthorityValueService {
                }
            }
        } catch (Exception e) {
-            log.error(LogHelper.getHeader(context, "Error while retrieving AuthorityValue from solr",
-                                           "query: " + queryString), e);
+            log.error("Error while retrieving AuthorityValue from solr. query: " + queryString, e);
        }

        return findings;
--- a/dspace-api/src/main/java/org/dspace/authority/UpdateAuthorities.java
+++ b/dspace-api/src/main/java/org/dspace/authority/UpdateAuthorities.java
@@ -133,11 +133,11 @@ public class UpdateAuthorities {
        if (selectedIDs != null && !selectedIDs.isEmpty()) {
            authorities = new ArrayList<>();
            for (String selectedID : selectedIDs) {
-                AuthorityValue byUID = authorityValueService.findByUID(context, selectedID);
+                AuthorityValue byUID = authorityValueService.findByUID(selectedID);
                authorities.add(byUID);
            }
        } else {
-            authorities = authorityValueService.findAll(context);
+            authorities = authorityValueService.findAll();
        }

        if (authorities != null) {
--- a/dspace-api/src/main/java/org/dspace/authority/indexer/DSpaceAuthorityIndexer.java
+++ b/dspace-api/src/main/java/org/dspace/authority/indexer/DSpaceAuthorityIndexer.java
@@ -148,12 +148,12 @@ public class DSpaceAuthorityIndexer implements AuthorityIndexerInterface, Initia
                !metadataAuthorityKey.startsWith(AuthorityValueService.GENERATE)) {
            // !uid.startsWith(AuthorityValueGenerator.GENERATE) is not strictly
            // necessary here but it prevents exceptions in solr
-            AuthorityValue value = authorityValueService.findByUID(context, metadataAuthorityKey);
+            AuthorityValue value = authorityValueService.findByUID(metadataAuthorityKey);
            if (value != null) {
                return value;
            }
        }
-        return authorityValueService.generate(context, metadataAuthorityKey,
+        return authorityValueService.generate(metadataAuthorityKey,
                metadataContent, metadataField.replaceAll("\\.", "_"));
    }

--- a/dspace-api/src/main/java/org/dspace/authority/service/AuthorityValueService.java
+++ b/dspace-api/src/main/java/org/dspace/authority/service/AuthorityValueService.java
@@ -11,7 +11,6 @@ import java.util.List;

 import org.apache.solr.common.SolrDocument;
 import org.dspace.authority.AuthorityValue;
-import org.dspace.core.Context;

 /**
 * This service contains all methods for using authority values
@@ -25,32 +24,125 @@ public interface AuthorityValueService {
    public static final String SPLIT = "::";
    public static final String GENERATE = "will be generated" + SPLIT;

-    public AuthorityValue generate(Context context, String authorityKey, String content, String field);
+    /**
+     * Generates an {@link AuthorityValue} based on the given parameters.
+     *
+     * @param authorityKey  the authority key to be assigned to the generated authority value
+     * @param content       the content of the generated authority value
+     * @param field         the field of the generated authority value
+     * @return the generated {@link AuthorityValue}
+     */
+    public AuthorityValue generate(String authorityKey, String content, String field);

+    /**
+     * Updates an AuthorityValue.
+     *
+     * @param value the AuthorityValue to be updated
+     * @return the updated AuthorityValue
+     */
    public AuthorityValue update(AuthorityValue value);

-    public AuthorityValue findByUID(Context context, String authorityID);
+    /**
+     * Finds an AuthorityValue based on the provided authorityID.
+     *
+     * @param authorityID the authority ID used to search for the AuthorityValue
+     * @return the found AuthorityValue, or null if no match is found
+     */
+    public AuthorityValue findByUID(String authorityID);

-    public List<AuthorityValue> findByValue(Context context, String field, String value);
+    /**
+     * Finds AuthorityValues in the given context based on field and value.
+     *
+     * @param field the field to search for AuthorityValues
+     * @param value the value to search for AuthorityValues
+     * @return a list of found AuthorityValues matching the given field and value, or an empty list if no match is found
+     */
+    public List<AuthorityValue> findByValue(String field, String value);

-    public AuthorityValue findByOrcidID(Context context, String orcid_id);
+    /**
+     * Finds an {@link AuthorityValue} based on the provided ORCID ID.
+     *
+     * @param orcid_id the ORCID ID used to search for the AuthorityValue
+     * @return the found AuthorityValue, or null if no match is found
+     */
+    public AuthorityValue findByOrcidID(String orcid_id);

-    public List<AuthorityValue> findByName(Context context, String schema, String element, String qualifier,
+    /**
+     * Finds {@link AuthorityValue}s based on the provided metadata schema, element, qualifier, and name.
+     *
+     * @param schema    the schema of the AuthorityValue
+     * @param element   the element of the AuthorityValue
+     * @param qualifier the qualifier of the AuthorityValue
+     * @param name      the name of the AuthorityValue
+     * @return a list of found AuthorityValues matching the given schema, element, qualifier, and name,
+     *         or an empty list if no match is found
+     */
+    public List<AuthorityValue> findByName(String schema, String element, String qualifier,
                                           String name);

-    public List<AuthorityValue> findByAuthorityMetadata(Context context, String schema, String element,
+    /**
+     * Finds {@link AuthorityValue}s based on the provided metadata schema, element, qualifier, and value.
+     *
+     * @param schema    the schema of the AuthorityValue
+     * @param element   the element of the AuthorityValue
+     * @param qualifier the qualifier of the AuthorityValue
+     * @param value     the value of the AuthorityValue
+     * @return a list of found AuthorityValues matching the given schema, element, qualifier, and value,
+     *         or an empty list if no match is found
+     */
+    public List<AuthorityValue> findByAuthorityMetadata(String schema, String element,
                                                        String qualifier, String value);

-    public List<AuthorityValue> findByExactValue(Context context, String field, String value);
+    /**
+     * Finds {@link AuthorityValue}s in the given context based on the exact field and value.
+     *
+     * @param field the field to search for AuthorityValues
+     * @param value the value to search for AuthorityValues
+     * @return a list of found AuthorityValues matching the given field and value,
+     *         or an empty list if no match is found
+     */
+    public List<AuthorityValue> findByExactValue(String field, String value);

-    public List<AuthorityValue> findByValue(Context context, String schema, String element, String qualifier,
+    /**
+     * Finds {@link AuthorityValue}s based on the provided metadata schema, element, qualifier, and value.
+     *
+     * @param schema    the schema of the AuthorityValue
+     * @param element   the element of the AuthorityValue
+     * @param qualifier the qualifier of the AuthorityValue
+     * @param value     the value of the AuthorityValue
+     * @return a list of found AuthorityValues matching the given schema, element, qualifier, and value,
+     *         or an empty list if no match is found
+     */
+    public List<AuthorityValue> findByValue(String schema, String element, String qualifier,
                                            String value);

-    public List<AuthorityValue> findOrcidHolders(Context context);
+    /**
+     * Finds AuthorityValues that are ORCID person authority values.
+     *
+     * @return a list of AuthorityValues or an empty list if no matching values are found
+     */
+    public List<AuthorityValue> findOrcidHolders();

-    public List<AuthorityValue> findAll(Context context);
+    /**
+     * Retrieves all AuthorityValues from Solr.
+     *
+     * @return A list of all AuthorityValues.
+     */
+    public List<AuthorityValue> findAll();

+    /**
+     * Converts a SolrDocument into an AuthorityValue object.
+     *
+     * @param solrDocument the SolrDocument to convert
+     * @return the converted AuthorityValue object
+     */
    public AuthorityValue fromSolr(SolrDocument solrDocument);

+    /**
+     * Retrieves the type of authority value based on the provided metadata string.
+     *
+     * @param metadataString the metadata string used to determine the authority value type
+     * @return the {@link AuthorityValue} representing the type of authority value, or null if no match is found
+     */
    public AuthorityValue getAuthorityValueType(String metadataString);
 }
--- a/dspace-api/src/main/java/org/dspace/authorize/AuthorizeServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/authorize/AuthorizeServiceImpl.java
@@ -9,12 +9,14 @@ package org.dspace.authorize;

 import static org.dspace.app.util.AuthorizeUtil.canCollectionAdminManageAccounts;
 import static org.dspace.app.util.AuthorizeUtil.canCommunityAdminManageAccounts;
+import static org.dspace.discovery.SearchUtils.RESOURCE_TYPE_FIELD;

 import java.sql.SQLException;
 import java.time.LocalDate;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
+import java.util.Objects;
 import java.util.UUID;

 import org.apache.commons.collections4.CollectionUtils;
@@ -47,6 +49,7 @@ import org.dspace.discovery.indexobject.IndexableItem;
 import org.dspace.eperson.EPerson;
 import org.dspace.eperson.Group;
 import org.dspace.eperson.service.GroupService;
+import org.dspace.services.ConfigurationService;
 import org.dspace.workflow.WorkflowItemService;
 import org.springframework.beans.factory.annotation.Autowired;

@@ -83,6 +86,8 @@ public class AuthorizeServiceImpl implements AuthorizeService {
    protected WorkflowItemService workflowItemService;
    @Autowired(required = true)
    private SearchService searchService;
+    @Autowired(required = true)
+    private ConfigurationService configurationService;


    protected AuthorizeServiceImpl() {
@@ -507,17 +512,26 @@ public class AuthorizeServiceImpl implements AuthorizeService {
        return resourcePolicyService.find(c, o, actionID);
    }

+    @Override
+    public void inheritPolicies(Context c, DSpaceObject src, DSpaceObject dest)
+        throws SQLException, AuthorizeException {
+        inheritPolicies(c, src, dest, false);
+    }
+
    @Override
    public void inheritPolicies(Context c, DSpaceObject src,
-                                DSpaceObject dest) throws SQLException, AuthorizeException {
+                                DSpaceObject dest, boolean includeCustom) throws SQLException, AuthorizeException {
        // find all policies for the source object
        List<ResourcePolicy> policies = getPolicies(c, src);

-        //Only inherit non-ADMIN policies (since ADMIN policies are automatically inherited)
-        //and non-custom policies as these are manually applied when appropriate
+        // Only inherit non-ADMIN policies (since ADMIN policies are automatically inherited)
+        // and non-custom policies (usually applied manually?) UNLESS specified otherwise with includCustom
+        // (for example, item.addBundle() will inherit custom policies to enforce access conditions)
        List<ResourcePolicy> nonAdminPolicies = new ArrayList<>();
        for (ResourcePolicy rp : policies) {
-            if (rp.getAction() != Constants.ADMIN && !StringUtils.equals(rp.getRpType(), ResourcePolicy.TYPE_CUSTOM)) {
+            if (rp.getAction() != Constants.ADMIN && (!StringUtils.equals(rp.getRpType(), ResourcePolicy.TYPE_CUSTOM)
+                        || (includeCustom && StringUtils.equals(rp.getRpType(), ResourcePolicy.TYPE_CUSTOM)
+                            && isNotAlreadyACustomRPOfThisTypeOnDSO(c, dest)))) {
                nonAdminPolicies.add(rp);
            }
        }
@@ -737,7 +751,7 @@ public class AuthorizeServiceImpl implements AuthorizeService {
     */
    @Override
    public boolean isCommunityAdmin(Context context) throws SQLException {
-        return performCheck(context, "search.resourcetype:" + IndexableCommunity.TYPE);
+        return performCheck(context, RESOURCE_TYPE_FIELD + ":" + IndexableCommunity.TYPE);
    }

    /**
@@ -750,7 +764,7 @@ public class AuthorizeServiceImpl implements AuthorizeService {
     */
    @Override
    public boolean isCollectionAdmin(Context context) throws SQLException {
-        return performCheck(context, "search.resourcetype:" + IndexableCollection.TYPE);
+        return performCheck(context, RESOURCE_TYPE_FIELD + ":" + IndexableCollection.TYPE);
    }

    /**
@@ -763,7 +777,7 @@ public class AuthorizeServiceImpl implements AuthorizeService {
     */
    @Override
    public boolean isItemAdmin(Context context) throws SQLException {
-        return performCheck(context, "search.resourcetype:" + IndexableItem.TYPE);
+        return performCheck(context, RESOURCE_TYPE_FIELD + ":" + IndexableItem.TYPE);
    }

    /**
@@ -777,8 +791,8 @@ public class AuthorizeServiceImpl implements AuthorizeService {
    @Override
    public boolean isComColAdmin(Context context) throws SQLException {
        return performCheck(context,
-            "(search.resourcetype:" + IndexableCommunity.TYPE + " OR search.resourcetype:" +
-                IndexableCollection.TYPE + ")");
+            "(" + RESOURCE_TYPE_FIELD + ":" + IndexableCommunity.TYPE + " OR " +
+            RESOURCE_TYPE_FIELD + ":" + IndexableCollection.TYPE + ")");
    }

    /**
@@ -796,7 +810,7 @@ public class AuthorizeServiceImpl implements AuthorizeService {
        throws SearchServiceException, SQLException {
        List<Community> communities = new ArrayList<>();
        query = formatCustomQuery(query);
-        DiscoverResult discoverResult = getDiscoverResult(context, query + "search.resourcetype:" +
+        DiscoverResult discoverResult = getDiscoverResult(context, query + RESOURCE_TYPE_FIELD + ":" +
                                                              IndexableCommunity.TYPE,
            offset, limit, null, null);
        for (IndexableObject solrCollections : discoverResult.getIndexableObjects()) {
@@ -818,9 +832,9 @@ public class AuthorizeServiceImpl implements AuthorizeService {
    public long countAdminAuthorizedCommunity(Context context, String query)
        throws SearchServiceException, SQLException {
        query = formatCustomQuery(query);
-        DiscoverResult discoverResult = getDiscoverResult(context, query + "search.resourcetype:" +
+        DiscoverResult discoverResult = getDiscoverResult(context, query + RESOURCE_TYPE_FIELD + ":" +
                                                              IndexableCommunity.TYPE,
-            null, null, null, null);
+            null, 0, null, null);
        return discoverResult.getTotalSearchResults();
    }

@@ -843,7 +857,7 @@ public class AuthorizeServiceImpl implements AuthorizeService {
        }

        query = formatCustomQuery(query);
-        DiscoverResult discoverResult = getDiscoverResult(context, query + "search.resourcetype:" +
+        DiscoverResult discoverResult = getDiscoverResult(context, query + RESOURCE_TYPE_FIELD + ":" +
                                                              IndexableCollection.TYPE,
            offset, limit, CollectionService.SOLR_SORT_FIELD, SORT_ORDER.asc);
        for (IndexableObject solrCollections : discoverResult.getIndexableObjects()) {
@@ -865,9 +879,9 @@ public class AuthorizeServiceImpl implements AuthorizeService {
    public long countAdminAuthorizedCollection(Context context, String query)
        throws SearchServiceException, SQLException {
        query = formatCustomQuery(query);
-        DiscoverResult discoverResult = getDiscoverResult(context, query + "search.resourcetype:" +
+        DiscoverResult discoverResult = getDiscoverResult(context, query + RESOURCE_TYPE_FIELD + ":" +
                                                              IndexableCollection.TYPE,
-            null, null, null, null);
+            null, 0, null, null);
        return discoverResult.getTotalSearchResults();
    }

@@ -943,4 +957,100 @@ public class AuthorizeServiceImpl implements AuthorizeService {
            return query + " AND ";
        }
    }
+
+    /**
+     * Add the default policies, which have not been already added to the given DSpace object
+     *
+     * @param context                   The relevant DSpace Context.
+     * @param dso                       The DSpace Object to add policies to
+     * @param defaultCollectionPolicies list of policies
+     * @throws SQLException       An exception that provides information on a database access error or other errors.
+     * @throws AuthorizeException Exception indicating the current user of the context does not have permission
+     *                            to perform a particular action.
+     */
+    @Override
+    public void addDefaultPoliciesNotInPlace(Context context, DSpaceObject dso,
+        List<ResourcePolicy> defaultCollectionPolicies) throws SQLException, AuthorizeException {
+        boolean appendMode = configurationService
+                .getBooleanProperty("core.authorization.installitem.inheritance-read.append-mode", false);
+        for (ResourcePolicy defaultPolicy : defaultCollectionPolicies) {
+            if (!isAnIdenticalPolicyAlreadyInPlace(context, dso, defaultPolicy.getGroup(), Constants.READ,
+                    defaultPolicy.getID()) &&
+                   (!appendMode && isNotAlreadyACustomRPOfThisTypeOnDSO(context, dso) ||
+                    appendMode && shouldBeAppended(context, dso, defaultPolicy))) {
+                ResourcePolicy newPolicy = resourcePolicyService.clone(context, defaultPolicy);
+                newPolicy.setdSpaceObject(dso);
+                newPolicy.setAction(Constants.READ);
+                newPolicy.setRpType(ResourcePolicy.TYPE_INHERITED);
+                resourcePolicyService.update(context, newPolicy);
+            }
+        }
+    }
+
+    /**
+     * Add a list of custom policies if there are already NO custom policies in place
+     *
+     */
+    @Override
+    public void addCustomPoliciesNotInPlace(Context context, DSpaceObject dso, List<ResourcePolicy> customPolicies)
+            throws SQLException, AuthorizeException {
+        boolean customPoliciesAlreadyInPlace =
+            findPoliciesByDSOAndType(context, dso, ResourcePolicy.TYPE_CUSTOM).size() > 0;
+        if (!customPoliciesAlreadyInPlace) {
+            addPolicies(context, customPolicies, dso);
+        }
+    }
+
+    /**
+     * Check whether or not there is already an RP on the given dso, which has actionId={@link Constants.READ} and
+     * resourceTypeId={@link ResourcePolicy.TYPE_CUSTOM}
+     *
+     * @param context DSpace context
+     * @param dso     DSpace object to check for custom read RP
+     * @return True if there is no RP on the item with custom read RP, otherwise false
+     * @throws SQLException If something goes wrong retrieving the RP on the DSO
+     */
+    private boolean isNotAlreadyACustomRPOfThisTypeOnDSO(Context context, DSpaceObject dso) throws SQLException {
+        return isNotAlreadyACustomRPOfThisTypeOnDSO(context, dso, Constants.READ);
+    }
+
+    private boolean isNotAlreadyACustomRPOfThisTypeOnDSO(Context context, DSpaceObject dso, int action)
+            throws SQLException {
+        List<ResourcePolicy> rps = resourcePolicyService.find(context, dso, action);
+        for (ResourcePolicy rp : rps) {
+            if (rp.getRpType() != null && rp.getRpType().equals(ResourcePolicy.TYPE_CUSTOM)) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    /**
+     * Check if the provided default policy should be appended or not to the final
+     * item. If an item has at least one custom READ policy any anonymous READ
+     * policy with empty start/end date should be skipped
+     *
+     * @param context       DSpace context
+     * @param dso           DSpace object to check for custom read RP
+     * @param defaultPolicy The policy to check
+     * @return
+     * @throws SQLException If something goes wrong retrieving the RP on the DSO
+     */
+    private boolean shouldBeAppended(Context context, DSpaceObject dso, ResourcePolicy defaultPolicy)
+            throws SQLException {
+        boolean hasCustomPolicy = resourcePolicyService.find(context, dso, Constants.READ)
+                                                       .stream()
+                                                       .filter(rp -> (Objects.nonNull(rp.getRpType()) &&
+                                                            Objects.equals(rp.getRpType(), ResourcePolicy.TYPE_CUSTOM)))
+                                                       .findFirst()
+                                                       .isPresent();
+
+        boolean isAnonymousGroup = Objects.nonNull(defaultPolicy.getGroup())
+                && StringUtils.equals(defaultPolicy.getGroup().getName(), Group.ANONYMOUS);
+
+        boolean datesAreNull = Objects.isNull(defaultPolicy.getStartDate())
+                && Objects.isNull(defaultPolicy.getEndDate());
+
+        return !(hasCustomPolicy && isAnonymousGroup && datesAreNull);
+    }
 }
--- a/dspace-api/src/main/java/org/dspace/authorize/ResourcePolicyServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/authorize/ResourcePolicyServiceImpl.java
@@ -19,6 +19,7 @@ import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang3.ObjectUtils;
 import org.apache.logging.log4j.Logger;
 import org.dspace.authorize.dao.ResourcePolicyDAO;
+import org.dspace.authorize.service.AuthorizeService;
 import org.dspace.authorize.service.ResourcePolicyService;
 import org.dspace.content.DSpaceObject;
 import org.dspace.content.factory.ContentServiceFactory;
@@ -51,6 +52,9 @@ public class ResourcePolicyServiceImpl implements ResourcePolicyService {
    @Autowired
    private GroupService groupService;

+    @Autowired
+    private AuthorizeService authorizeService;
+
    protected ResourcePolicyServiceImpl() {
    }

@@ -422,6 +426,6 @@ public class ResourcePolicyServiceImpl implements ResourcePolicyService {
        } else if (group != null && groupService.isMember(context, eperson, group)) {
            isMy = true;
        }
-        return isMy;
+        return isMy || authorizeService.isAdmin(context, eperson, resourcePolicy.getdSpaceObject());
    }
 }
--- a/dspace-api/src/main/java/org/dspace/authorize/service/AuthorizeService.java
+++ b/dspace-api/src/main/java/org/dspace/authorize/service/AuthorizeService.java
@@ -322,6 +322,19 @@ public interface AuthorizeService {
     */
    public List<ResourcePolicy> getPoliciesActionFilterExceptRpType(Context c, DSpaceObject o, int actionID,
                                                                    String rpType) throws SQLException;
+    /**
+     * Add policies to an object to match those from a previous object
+     *
+     * @param c    context
+     * @param src  source of policies
+     * @param dest destination of inherited policies
+     * @param includeCustom whether TYPE_CUSTOM policies should be inherited
+     * @throws SQLException       if there's a database problem
+     * @throws AuthorizeException if the current user is not authorized to add these policies
+     */
+    public void inheritPolicies(Context c, DSpaceObject src, DSpaceObject dest, boolean includeCustom)
+            throws SQLException, AuthorizeException;
+
    /**
     * Add policies to an object to match those from a previous object
     *
@@ -605,4 +618,10 @@ public interface AuthorizeService {
    public void replaceAllPolicies(Context context, DSpaceObject source, DSpaceObject dest)
            throws SQLException, AuthorizeException;

+    public void addDefaultPoliciesNotInPlace(Context context, DSpaceObject dso,
+            List<ResourcePolicy> defaultCollectionPolicies) throws SQLException, AuthorizeException;
+
+    public void addCustomPoliciesNotInPlace(Context context, DSpaceObject dso,
+            List<ResourcePolicy> defaultCollectionPolicies) throws SQLException, AuthorizeException;
+
 }
--- a/dspace-api/src/main/java/org/dspace/browse/SolrBrowseDAO.java
+++ b/dspace-api/src/main/java/org/dspace/browse/SolrBrowseDAO.java
@@ -7,6 +7,9 @@
 */
 package org.dspace.browse;

+import static org.dspace.discovery.SearchUtils.RESOURCE_ID_FIELD;
+import static org.dspace.discovery.SearchUtils.RESOURCE_TYPE_FIELD;
+
 import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -308,8 +311,10 @@ public class SolrBrowseDAO implements BrowseDAO {
    public String doMaxQuery(String column, String table, int itemID)
        throws BrowseException {
        DiscoverQuery query = new DiscoverQuery();
-        query.setQuery("search.resourceid:" + itemID
-                           + " AND search.resourcetype:" + IndexableItem.TYPE);
+        query.setQuery("*:*");
+        query.addFilterQueries(
+                RESOURCE_ID_FIELD + ":" + itemID,
+                RESOURCE_TYPE_FIELD + ":" + IndexableItem.TYPE);
        query.setMaxResults(1);
        DiscoverResult resp = null;
        try {
--- a/dspace-api/src/main/java/org/dspace/checker/CheckerCommand.java
+++ b/dspace-api/src/main/java/org/dspace/checker/CheckerCommand.java
@@ -131,7 +131,7 @@ public final class CheckerCommand {
                collector.collect(context, info);
            }

-            context.uncacheEntity(bitstream);
+            context.commit();
            bitstream = dispatcher.next();
        }
    }
--- a/dspace-api/src/main/java/org/dspace/checker/dao/impl/MostRecentChecksumDAOImpl.java
+++ b/dspace-api/src/main/java/org/dspace/checker/dao/impl/MostRecentChecksumDAOImpl.java
@@ -56,8 +56,8 @@ public class MostRecentChecksumDAOImpl extends AbstractHibernateDAO<MostRecentCh
        criteriaQuery.where(criteriaBuilder.and(
            criteriaBuilder.equal(mostRecentChecksumRoot.get(MostRecentChecksum_.toBeProcessed), false),
            criteriaBuilder
-                .lessThanOrEqualTo(mostRecentChecksumRoot.get(MostRecentChecksum_.processStartDate), startDate),
-            criteriaBuilder.greaterThan(mostRecentChecksumRoot.get(MostRecentChecksum_.processStartDate), endDate)
+                .lessThanOrEqualTo(mostRecentChecksumRoot.get(MostRecentChecksum_.processStartDate), endDate),
+            criteriaBuilder.greaterThan(mostRecentChecksumRoot.get(MostRecentChecksum_.processStartDate), startDate)
                            )
        );
        List<Order> orderList = new LinkedList<>();
--- a/dspace-api/src/main/java/org/dspace/content/BitstreamFormatServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/content/BitstreamFormatServiceImpl.java
@@ -49,7 +49,7 @@ public class BitstreamFormatServiceImpl implements BitstreamFormatService {
     * translate support-level ID to string.  MUST keep this table in sync
     * with support level definitions above.
     */
-    protected final String supportLevelText[] =
+    protected final String[] supportLevelText =
        {"UNKNOWN", "KNOWN", "SUPPORTED"};


--- a/dspace-api/src/main/java/org/dspace/content/DSpaceObjectServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/content/DSpaceObjectServiceImpl.java
@@ -187,11 +187,11 @@ public abstract class DSpaceObjectServiceImpl<T extends DSpaceObject> implements
                                           String authority) {
        List<MetadataValue> metadata = getMetadata(dso, schema, element, qualifier, lang);
        List<MetadataValue> result = new ArrayList<>(metadata);
-        if (!authority.equals(Item.ANY)) {
+        if (!Item.ANY.equals(authority)) {
            Iterator<MetadataValue> iterator = result.iterator();
            while (iterator.hasNext()) {
                MetadataValue metadataValue = iterator.next();
-                if (!authority.equals(metadataValue.getAuthority())) {
+                if (!StringUtils.equals(authority, metadataValue.getAuthority())) {
                    iterator.remove();
                }
            }
@@ -509,7 +509,7 @@ public abstract class DSpaceObjectServiceImpl<T extends DSpaceObject> implements
        MetadataField metadataField = metadataValue.getMetadataField();
        MetadataSchema metadataSchema = metadataField.getMetadataSchema();
        // We will attempt to disprove a match - if we can't we have a match
-        if (!element.equals(Item.ANY) && !element.equals(metadataField.getElement())) {
+        if (!Item.ANY.equals(element) && !StringUtils.equals(element, metadataField.getElement())) {
            // Elements do not match, no wildcard
            return false;
        }
@@ -520,9 +520,9 @@ public abstract class DSpaceObjectServiceImpl<T extends DSpaceObject> implements
                // Value is qualified, so no match
                return false;
            }
-        } else if (!qualifier.equals(Item.ANY)) {
+        } else if (!Item.ANY.equals(qualifier)) {
            // Not a wildcard, so qualifier must match exactly
-            if (!qualifier.equals(metadataField.getQualifier())) {
+            if (!StringUtils.equals(qualifier, metadataField.getQualifier())) {
                return false;
            }
        }
@@ -533,15 +533,15 @@ public abstract class DSpaceObjectServiceImpl<T extends DSpaceObject> implements
                // Value is qualified, so no match
                return false;
            }
-        } else if (!language.equals(Item.ANY)) {
+        } else if (!Item.ANY.equals(language)) {
            // Not a wildcard, so language must match exactly
-            if (!language.equals(metadataValue.getLanguage())) {
+            if (!StringUtils.equals(language, metadataValue.getLanguage())) {
                return false;
            }
        }

-        if (!schema.equals(Item.ANY)) {
-            if (metadataSchema != null && !metadataSchema.getName().equals(schema)) {
+        if (!Item.ANY.equals(schema)) {
+            if (!StringUtils.equals(schema, metadataSchema.getName())) {
                // The namespace doesn't match
                return false;
            }
--- a/dspace-api/src/main/java/org/dspace/content/EntityTypeServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/content/EntityTypeServiceImpl.java
@@ -30,6 +30,7 @@ import org.dspace.core.Constants;
 import org.dspace.core.Context;
 import org.dspace.discovery.SolrSearchCore;
 import org.dspace.discovery.indexobject.IndexableCollection;
+import org.dspace.eperson.EPerson;
 import org.dspace.eperson.Group;
 import org.dspace.eperson.service.GroupService;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -123,25 +124,35 @@ public class EntityTypeServiceImpl implements EntityTypeService {
    @Override
    public List<String> getSubmitAuthorizedTypes(Context context)
            throws SQLException, SolrServerException, IOException {
-        List<String> types = new ArrayList<>();
-        StringBuilder query = new StringBuilder();
-        org.dspace.eperson.EPerson currentUser = context.getCurrentUser();
+        StringBuilder query = null;
        if (!authorizeService.isAdmin(context)) {
-            String userId = "";
+            EPerson currentUser = context.getCurrentUser();
            if (currentUser != null) {
-                userId = currentUser.getID().toString();
+                String userId = currentUser.getID().toString();
+                query = new StringBuilder();
+                query.append("submit:(e").append(userId);
            }
-            query.append("submit:(e").append(userId);
+
            Set<Group> groups = groupService.allMemberGroupsSet(context, currentUser);
            for (Group group : groups) {
-                query.append(" OR g").append(group.getID());
+                if (query == null) {
+                    query = new StringBuilder();
+                    query.append("submit:(g");
+                } else {
+                    query.append(" OR g");
+                }
+                query.append(group.getID());
+            }
+
+            if (query != null) {
+                query.append(")");
            }
-            query.append(")");
-        } else {
-            query.append("*:*");
        }

-        SolrQuery sQuery = new SolrQuery(query.toString());
+        SolrQuery sQuery = new SolrQuery("*:*");
+        if (query != null) {
+            sQuery.addFilterQuery(query.toString());
+        }
        sQuery.addFilterQuery("search.resourcetype:" + IndexableCollection.TYPE);
        sQuery.setRows(0);
        sQuery.addFacetField("search.entitytype");
@@ -150,6 +161,8 @@ public class EntityTypeServiceImpl implements EntityTypeService {
        sQuery.setFacetSort(FacetParams.FACET_SORT_INDEX);
        QueryResponse qResp = solrSearchCore.getSolr().query(sQuery, solrSearchCore.REQUEST_METHOD);
        FacetField facetField = qResp.getFacetField("search.entitytype");
+
+        List<String> types = new ArrayList<>();
        if (Objects.nonNull(facetField)) {
            for (Count c : facetField.getValues()) {
                types.add(c.getName());
--- a/dspace-api/src/main/java/org/dspace/content/ItemServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/content/ItemServiceImpl.java
@@ -480,7 +480,7 @@ public class ItemServiceImpl extends DSpaceObjectServiceImpl<Item> implements It

        // now add authorization policies from owning item
        // hmm, not very "multiple-inclusion" friendly
-        authorizeService.inheritPolicies(context, item, bundle);
+        authorizeService.inheritPolicies(context, item, bundle, true);

        // Add the bundle to in-memory list
        item.addBundle(bundle);
@@ -594,7 +594,7 @@ public class ItemServiceImpl extends DSpaceObjectServiceImpl<Item> implements It
    public void removeDSpaceLicense(Context context, Item item) throws SQLException, AuthorizeException, IOException {
        // get all bundles with name "LICENSE" (these are the DSpace license
        // bundles)
-        List<Bundle> bunds = getBundles(item, "LICENSE");
+        List<Bundle> bunds = getBundles(item, Constants.LICENSE_BUNDLE_NAME);

        for (Bundle bund : bunds) {
            // FIXME: probably serious troubles with Authorizations
@@ -1046,8 +1046,8 @@ public class ItemServiceImpl extends DSpaceObjectServiceImpl<Item> implements It
            // if come from InstallItem: remove all submission/workflow policies
            authorizeService.removeAllPoliciesByDSOAndType(context, mybundle, ResourcePolicy.TYPE_SUBMISSION);
            authorizeService.removeAllPoliciesByDSOAndType(context, mybundle, ResourcePolicy.TYPE_WORKFLOW);
-            addCustomPoliciesNotInPlace(context, mybundle, defaultItemPolicies);
-            addDefaultPoliciesNotInPlace(context, mybundle, defaultCollectionBundlePolicies);
+            authorizeService.addCustomPoliciesNotInPlace(context, mybundle, defaultItemPolicies);
+            authorizeService.addDefaultPoliciesNotInPlace(context, mybundle, defaultCollectionBundlePolicies);

            for (Bitstream bitstream : mybundle.getBitstreams()) {
                // If collection has default READ policies, remove the bundle's READ policies.
@@ -1093,8 +1093,8 @@ public class ItemServiceImpl extends DSpaceObjectServiceImpl<Item> implements It
        throws SQLException, AuthorizeException {
        authorizeService.removeAllPoliciesByDSOAndType(context, bitstream, ResourcePolicy.TYPE_SUBMISSION);
        authorizeService.removeAllPoliciesByDSOAndType(context, bitstream, ResourcePolicy.TYPE_WORKFLOW);
-        addCustomPoliciesNotInPlace(context, bitstream, defaultItemPolicies);
-        addDefaultPoliciesNotInPlace(context, bitstream, defaultCollectionPolicies);
+        authorizeService.addCustomPoliciesNotInPlace(context, bitstream, defaultItemPolicies);
+        authorizeService.addDefaultPoliciesNotInPlace(context, bitstream, defaultCollectionPolicies);
    }

    @Override
@@ -1132,7 +1132,7 @@ public class ItemServiceImpl extends DSpaceObjectServiceImpl<Item> implements It
            authorizeService.removeAllPoliciesByDSOAndType(context, item, ResourcePolicy.TYPE_WORKFLOW);

            // add default policies only if not already in place
-            addDefaultPoliciesNotInPlace(context, item, defaultCollectionPolicies);
+            authorizeService.addDefaultPoliciesNotInPlace(context, item, defaultCollectionPolicies);
        } finally {
            context.restoreAuthSystemState();
        }
@@ -1322,91 +1322,7 @@ prevent the generation of resource policy entry values with null dspace_object a

    */

-    /**
-     * Add the default policies, which have not been already added to the given DSpace object
-     *
-     * @param context                   The relevant DSpace Context.
-     * @param dso                       The DSpace Object to add policies to
-     * @param defaultCollectionPolicies list of policies
-     * @throws SQLException       An exception that provides information on a database access error or other errors.
-     * @throws AuthorizeException Exception indicating the current user of the context does not have permission
-     *                            to perform a particular action.
-     */
-    protected void addDefaultPoliciesNotInPlace(Context context, DSpaceObject dso,
-        List<ResourcePolicy> defaultCollectionPolicies) throws SQLException, AuthorizeException {
-        boolean appendMode = configurationService
-                .getBooleanProperty("core.authorization.installitem.inheritance-read.append-mode", false);
-        for (ResourcePolicy defaultPolicy : defaultCollectionPolicies) {
-            if (!authorizeService
-                .isAnIdenticalPolicyAlreadyInPlace(context, dso, defaultPolicy.getGroup(), Constants.READ,
-                    defaultPolicy.getID()) &&
-                   (!appendMode && isNotAlreadyACustomRPOfThisTypeOnDSO(context, dso) ||
-                    appendMode && shouldBeAppended(context, dso, defaultPolicy))) {
-                ResourcePolicy newPolicy = resourcePolicyService.clone(context, defaultPolicy);
-                newPolicy.setdSpaceObject(dso);
-                newPolicy.setAction(Constants.READ);
-                newPolicy.setRpType(ResourcePolicy.TYPE_INHERITED);
-                resourcePolicyService.update(context, newPolicy);
-            }
-        }
-    }

-    private void addCustomPoliciesNotInPlace(Context context, DSpaceObject dso, List<ResourcePolicy> customPolicies)
-            throws SQLException, AuthorizeException {
-        boolean customPoliciesAlreadyInPlace = authorizeService
-                .findPoliciesByDSOAndType(context, dso, ResourcePolicy.TYPE_CUSTOM).size() > 0;
-        if (!customPoliciesAlreadyInPlace) {
-            authorizeService.addPolicies(context, customPolicies, dso);
-        }
-    }
-
-    /**
-     * Check whether or not there is already an RP on the given dso, which has actionId={@link Constants.READ} and
-     * resourceTypeId={@link ResourcePolicy.TYPE_CUSTOM}
-     *
-     * @param context DSpace context
-     * @param dso     DSpace object to check for custom read RP
-     * @return True if there is no RP on the item with custom read RP, otherwise false
-     * @throws SQLException If something goes wrong retrieving the RP on the DSO
-     */
-    private boolean isNotAlreadyACustomRPOfThisTypeOnDSO(Context context, DSpaceObject dso) throws SQLException {
-        List<ResourcePolicy> readRPs = resourcePolicyService.find(context, dso, Constants.READ);
-        for (ResourcePolicy readRP : readRPs) {
-            if (readRP.getRpType() != null && readRP.getRpType().equals(ResourcePolicy.TYPE_CUSTOM)) {
-                return false;
-            }
-        }
-        return true;
-    }
-
-    /**
-     * Check if the provided default policy should be appended or not to the final
-     * item. If an item has at least one custom READ policy any anonymous READ
-     * policy with empty start/end date should be skipped
-     *
-     * @param context       DSpace context
-     * @param dso           DSpace object to check for custom read RP
-     * @param defaultPolicy The policy to check
-     * @return
-     * @throws SQLException If something goes wrong retrieving the RP on the DSO
-     */
-    private boolean shouldBeAppended(Context context, DSpaceObject dso, ResourcePolicy defaultPolicy)
-            throws SQLException {
-        boolean hasCustomPolicy = resourcePolicyService.find(context, dso, Constants.READ)
-                                                       .stream()
-                                                       .filter(rp -> (Objects.nonNull(rp.getRpType()) &&
-                                                            Objects.equals(rp.getRpType(), ResourcePolicy.TYPE_CUSTOM)))
-                                                       .findFirst()
-                                                       .isPresent();
-
-        boolean isAnonimousGroup = Objects.nonNull(defaultPolicy.getGroup())
-                && StringUtils.equals(defaultPolicy.getGroup().getName(), Group.ANONYMOUS);
-
-        boolean datesAreNull = Objects.isNull(defaultPolicy.getStartDate())
-                && Objects.isNull(defaultPolicy.getEndDate());
-
-        return !(hasCustomPolicy && isAnonimousGroup && datesAreNull);
-    }

    /**
     * Returns an iterator of Items possessing the passed metadata field, or only
--- a/dspace-api/src/main/java/org/dspace/content/LicenseUtils.java
+++ b/dspace-api/src/main/java/org/dspace/content/LicenseUtils.java
@@ -22,6 +22,7 @@ import org.dspace.content.service.BitstreamFormatService;
 import org.dspace.content.service.BitstreamService;
 import org.dspace.content.service.CollectionService;
 import org.dspace.content.service.ItemService;
+import org.dspace.core.Constants;
 import org.dspace.core.Context;
 import org.dspace.eperson.EPerson;

@@ -139,10 +140,10 @@ public class LicenseUtils {
        // Store text as a bitstream
        byte[] licenseBytes = licenseText.getBytes("UTF-8");
        ByteArrayInputStream bais = new ByteArrayInputStream(licenseBytes);
-        Bitstream b = itemService.createSingleBitstream(context, bais, item, "LICENSE");
+        Bitstream b = itemService.createSingleBitstream(context, bais, item, Constants.LICENSE_BUNDLE_NAME);

        // Now set the format and name of the bitstream
-        b.setName(context, "license.txt");
+        b.setName(context, Constants.LICENSE_BITSTREAM_NAME);
        b.setSource(context, "Written by org.dspace.content.LicenseUtils");

        DCDate acceptanceDCDate = DCDate.getCurrent();
--- a/dspace-api/src/main/java/org/dspace/content/authority/Choices.java
+++ b/dspace-api/src/main/java/org/dspace/content/authority/Choices.java
@@ -68,7 +68,7 @@ public class Choices {
    /**
     * descriptive labels for confidence values
     */
-    private static final int confidenceValue[] = {
+    private static final int[] confidenceValue = {
        CF_UNSET,
        CF_NOVALUE,
        CF_REJECTED,
@@ -78,7 +78,7 @@ public class Choices {
        CF_UNCERTAIN,
        CF_ACCEPTED,
    };
-    private static final String confidenceText[] = {
+    private static final String[] confidenceText = {
        "UNSET",
        "NOVALUE",
        "REJECTED",
@@ -94,7 +94,7 @@ public class Choices {
    /**
     * The set of values returned by the authority
     */
-    public Choice values[] = null;
+    public Choice[] values = null;

    /**
     * The confidence level that applies to all values in this result set
@@ -133,9 +133,9 @@ public class Choices {
     * @param confidence confidence level
     * @param more       whether more values
     */
-    public Choices(Choice values[], int start, int total, int confidence, boolean more) {
+    public Choices(Choice[] values, int start, int total, int confidence, boolean more) {
        super();
-        this.values = (Choice[]) ArrayUtils.clone(values);
+        this.values = ArrayUtils.clone(values);
        this.start = start;
        this.total = total;
        this.confidence = confidence;
@@ -152,9 +152,9 @@ public class Choices {
     * @param more            whether more values
     * @param defaultSelected default selected value
     */
-    public Choices(Choice values[], int start, int total, int confidence, boolean more, int defaultSelected) {
+    public Choices(Choice[] values, int start, int total, int confidence, boolean more, int defaultSelected) {
        super();
-        this.values = (Choice[]) ArrayUtils.clone(values);
+        this.values = ArrayUtils.clone(values);
        this.start = start;
        this.total = total;
        this.confidence = confidence;
--- a/dspace-api/src/main/java/org/dspace/content/authority/DCInputAuthority.java
+++ b/dspace-api/src/main/java/org/dspace/content/authority/DCInputAuthority.java
@@ -66,7 +66,7 @@ public class DCInputAuthority extends SelfNamedPlugin implements ChoiceAuthority
     * The map of the input form reader associated to use for a specific java locale
     */
    private static Map<Locale, DCInputsReader> dcis = null;
-    private static String pluginNames[] = null;
+    private static String[] pluginNames = null;

    public DCInputAuthority() {
        super();
@@ -87,7 +87,7 @@ public class DCInputAuthority extends SelfNamedPlugin implements ChoiceAuthority
            initPluginNames();
        }

-        return (String[]) ArrayUtils.clone(pluginNames);
+        return ArrayUtils.clone(pluginNames);
    }

    private static synchronized void initPluginNames() {
@@ -179,7 +179,7 @@ public class DCInputAuthority extends SelfNamedPlugin implements ChoiceAuthority
        String[] labelsLocale = labels.get(currentLocale.getLanguage());
        for (int i = 0; i < valuesLocale.length; ++i) {
            if (text.equalsIgnoreCase(valuesLocale[i])) {
-                Choice v[] = new Choice[1];
+                Choice[] v = new Choice[1];
                v[0] = new Choice(String.valueOf(i), valuesLocale[i], labelsLocale[i]);
                return new Choices(v, 0, v.length, Choices.CF_UNCERTAIN, false, 0);
            }
--- a/dspace-api/src/main/java/org/dspace/content/authority/DSpaceControlledVocabulary.java
+++ b/dspace-api/src/main/java/org/dspace/content/authority/DSpaceControlledVocabulary.java
@@ -35,23 +35,25 @@ import org.xml.sax.InputSource;
 * from {@code ${dspace.dir}/config/controlled-vocabularies/*.xml} and turns
 * them into autocompleting authorities.
 *
- * Configuration: This MUST be configured as a self-named plugin, e.g.: {@code
- * plugin.selfnamed.org.dspace.content.authority.ChoiceAuthority = \
+ * <p>Configuration: This MUST be configured as a self-named plugin, e.g.: {@code
+ * plugin.selfnamed.org.dspace.content.authority.ChoiceAuthority =
 * org.dspace.content.authority.DSpaceControlledVocabulary
 * }
 *
- * It AUTOMATICALLY configures a plugin instance for each XML file in the
+ * <p>It AUTOMATICALLY configures a plugin instance for each XML file in the
 * controlled vocabularies directory. The name of the plugin is the basename of
 * the file; e.g., {@code ${dspace.dir}/config/controlled-vocabularies/nsi.xml}
 * would generate a plugin called "nsi".
 *
- * Each configured plugin comes with three configuration options: {@code
- * vocabulary.plugin._plugin_.hierarchy.store = <true|false>
- * # Store entire hierarchy along with selected value. Default: TRUE
- * vocabulary.plugin._plugin_.hierarchy.suggest =
- * <true|false>  # Display entire hierarchy in the suggestion list.  Default: TRUE
- * vocabulary.plugin._plugin_.delimiter = "<string>"
- * # Delimiter to use when building hierarchy strings. Default: "::"
+ * <p>Each configured plugin comes with three configuration options:
+ * <ul>
+ *  <li>{@code vocabulary.plugin._plugin_.hierarchy.store = <true|false>
+ * # Store entire hierarchy along with selected value. Default: TRUE}</li>
+ *  <li>{@code vocabulary.plugin._plugin_.hierarchy.suggest =
+ * <true|false>  # Display entire hierarchy in the suggestion list.  Default: TRUE}</li>
+ *  <li>{@code vocabulary.plugin._plugin_.delimiter = "<string>"
+ * # Delimiter to use when building hierarchy strings. Default: "::"}</li>
+ * </ul>
 * }
 *
 * @author Michael B. Klein
@@ -59,16 +61,17 @@ import org.xml.sax.InputSource;

 public class DSpaceControlledVocabulary extends SelfNamedPlugin implements HierarchicalAuthority {

-    private static Logger log = org.apache.logging.log4j.LogManager.getLogger(DSpaceControlledVocabulary.class);
+    private static final Logger log = org.apache.logging.log4j.LogManager.getLogger();
    protected static String xpathTemplate = "//node[contains(translate(@label,'ABCDEFGHIJKLMNOPQRSTUVWXYZ'," +
-        "'abcdefghijklmnopqrstuvwxyz'),'%s')]";
-    protected static String idTemplate = "//node[@id = '%s']";
-    protected static String labelTemplate = "//node[@label = '%s']";
+        "'abcdefghijklmnopqrstuvwxyz'),%s)]";
+    protected static String idTemplate = "//node[@id = %s]";
+    protected static String idTemplateQuoted = "//node[@id = '%s']";
+    protected static String labelTemplate = "//node[@label = %s]";
    protected static String idParentTemplate = "//node[@id = '%s']/parent::isComposedBy/parent::node";
    protected static String rootTemplate = "/node";
    protected static String idAttribute = "id";
    protected static String labelAttribute = "label";
-    protected static String pluginNames[] = null;
+    protected static String[] pluginNames = null;
    protected String vocabularyName = null;
    protected InputSource vocabulary = null;
    protected Boolean suggestHierarchy = false;
@@ -94,7 +97,7 @@ public class DSpaceControlledVocabulary extends SelfNamedPlugin implements Hiera
            initPluginNames();
        }

-        return (String[]) ArrayUtils.clone(pluginNames);
+        return ArrayUtils.clone(pluginNames);
    }

    private static synchronized void initPluginNames() {
@@ -110,7 +113,7 @@ public class DSpaceControlledVocabulary extends SelfNamedPlugin implements Hiera
                                                           File.separator + "config" +
                                                           File.separator + "controlled-vocabularies";
            String[] xmlFiles = (new File(vocabulariesPath)).list(new xmlFilter());
-            List<String> names = new ArrayList<String>();
+            List<String> names = new ArrayList<>();
            for (String filename : xmlFiles) {
                names.add((new File(filename)).getName().replace(".xml", ""));
            }
@@ -179,14 +182,22 @@ public class DSpaceControlledVocabulary extends SelfNamedPlugin implements Hiera
        init(locale);
        log.debug("Getting matches for '" + text + "'");
        String[] textHierarchy = text.split(hierarchyDelimiter, -1);
-        String xpathExpression = xpathTemplate.repeat(textHierarchy.length);
+        StringBuilder xpathExpressionBuilder = new StringBuilder();
+        for (int i = 0; i < textHierarchy.length; i++) {
+            xpathExpressionBuilder.append(String.format(xpathTemplate, "$var" + i));
+        }
+        String xpathExpression = xpathExpressionBuilder.toString();
        XPath xpath = XPathFactory.newInstance().newXPath();
        xpath.setXPathVariableResolver(variableName -> {
-            int index = Integer.parseInt(variableName.getLocalPart().substring(4)); // Extract index from "paramX"
-            return textHierarchy[index].toLowerCase();
+            String varName = variableName.getLocalPart();
+            if (varName.startsWith("var")) {
+                int index = Integer.parseInt(varName.substring(3));
+                return textHierarchy[index].toLowerCase();
+            }
+            throw new IllegalArgumentException("Unexpected variable: " + varName);
        });
-        int total = 0;
-        List<Choice> choices = new ArrayList<Choice>();
+        int total;
+        List<Choice> choices;
        try {
            NodeList results = (NodeList) xpath.evaluate(xpathExpression, vocabulary, XPathConstants.NODESET);
            total = results.getLength();
@@ -202,15 +213,23 @@ public class DSpaceControlledVocabulary extends SelfNamedPlugin implements Hiera
    @Override
    public Choices getBestMatch(String text, String locale) {
        init(locale);
-        log.debug("Getting best matches for '" + text + "'");
+        log.debug("Getting best matches for {}'", text);
        String[] textHierarchy = text.split(hierarchyDelimiter, -1);
-        String xpathExpression = valueTemplate.repeat(textHierarchy.length);
+        StringBuilder xpathExpressionBuilder = new StringBuilder();
+        for (int i = 0; i < textHierarchy.length; i++) {
+            xpathExpressionBuilder.append(String.format(valueTemplate, "$var" + i));
+        }
+        String xpathExpression = xpathExpressionBuilder.toString();
        XPath xpath = XPathFactory.newInstance().newXPath();
        xpath.setXPathVariableResolver(variableName -> {
-            int index = Integer.parseInt(variableName.getLocalPart().substring(4)); // Extract index from "paramX"
-            return textHierarchy[index];
+            String varName = variableName.getLocalPart();
+            if (varName.startsWith("var")) {
+                int index = Integer.parseInt(varName.substring(3));
+                return textHierarchy[index];
+            }
+            throw new IllegalArgumentException("Unexpected variable: " + varName);
        });
-        List<Choice> choices = new ArrayList<Choice>();
+        List<Choice> choices;
        try {
            NodeList results = (NodeList) xpath.evaluate(xpathExpression, vocabulary, XPathConstants.NODESET);
            choices = getChoicesFromNodeList(results, 0, 1);
@@ -258,7 +277,7 @@ public class DSpaceControlledVocabulary extends SelfNamedPlugin implements Hiera
    @Override
    public Choices getChoicesByParent(String authorityName, String parentId, int start, int limit, String locale) {
        init(locale);
-        String xpathExpression = String.format(idTemplate, parentId);
+        String xpathExpression = String.format(idTemplateQuoted, parentId);
        return getChoicesByXpath(xpathExpression, start, limit);
    }

@@ -282,15 +301,12 @@ public class DSpaceControlledVocabulary extends SelfNamedPlugin implements Hiera
    }

    private boolean isRootElement(Node node) {
-        if (node != null && node.getOwnerDocument().getDocumentElement().equals(node)) {
-            return true;
-        }
-        return false;
+        return node != null && node.getOwnerDocument().getDocumentElement().equals(node);
    }

    private Node getNode(String key, String locale) throws XPathExpressionException {
        init(locale);
-        String xpathExpression = String.format(idTemplate, key);
+        String xpathExpression = String.format(idTemplateQuoted, key);
        Node node = getNodeFromXPath(xpathExpression);
        return node;
    }
@@ -302,7 +318,7 @@ public class DSpaceControlledVocabulary extends SelfNamedPlugin implements Hiera
    }

    private List<Choice> getChoicesFromNodeList(NodeList results, int start, int limit) {
-        List<Choice> choices = new ArrayList<Choice>();
+        List<Choice> choices = new ArrayList<>();
        for (int i = 0; i < results.getLength(); i++) {
            if (i < start) {
                continue;
@@ -321,17 +337,17 @@ public class DSpaceControlledVocabulary extends SelfNamedPlugin implements Hiera

    private Map<String, String> addOtherInformation(String parentCurr, String noteCurr,
            List<String> childrenCurr, String authorityCurr) {
-        Map<String, String> extras = new HashMap<String, String>();
+        Map<String, String> extras = new HashMap<>();
        if (StringUtils.isNotBlank(parentCurr)) {
            extras.put("parent", parentCurr);
        }
        if (StringUtils.isNotBlank(noteCurr)) {
            extras.put("note", noteCurr);
        }
-        if (childrenCurr.size() > 0) {
-            extras.put("hasChildren", "true");
-        } else {
+        if (childrenCurr.isEmpty()) {
            extras.put("hasChildren", "false");
+        } else {
+            extras.put("hasChildren", "true");
        }
        extras.put("id", authorityCurr);
        return extras;
@@ -386,7 +402,7 @@ public class DSpaceControlledVocabulary extends SelfNamedPlugin implements Hiera
    }

    private List<String> getChildren(Node node) {
-        List<String> children = new ArrayList<String>();
+        List<String> children = new ArrayList<>();
        NodeList childNodes = node.getChildNodes();
        for (int ci = 0; ci < childNodes.getLength(); ci++) {
            Node firstChild = childNodes.item(ci);
@@ -409,7 +425,7 @@ public class DSpaceControlledVocabulary extends SelfNamedPlugin implements Hiera
    private boolean isSelectable(Node node) {
        Node selectableAttr = node.getAttributes().getNamedItem("selectable");
        if (null != selectableAttr) {
-            return Boolean.valueOf(selectableAttr.getNodeValue());
+            return Boolean.parseBoolean(selectableAttr.getNodeValue());
        } else { // Default is true
            return true;
        }
@@ -436,7 +452,7 @@ public class DSpaceControlledVocabulary extends SelfNamedPlugin implements Hiera
    }

    private Choices getChoicesByXpath(String xpathExpression, int start, int limit) {
-        List<Choice> choices = new ArrayList<Choice>();
+        List<Choice> choices = new ArrayList<>();
        XPath xpath = XPathFactory.newInstance().newXPath();
        try {
            Node parentNode = (Node) xpath.evaluate(xpathExpression, vocabulary, XPathConstants.NODE);
--- a/dspace-api/src/main/java/org/dspace/content/authority/SampleAuthority.java
+++ b/dspace-api/src/main/java/org/dspace/content/authority/SampleAuthority.java
@@ -14,7 +14,7 @@ package org.dspace.content.authority;
 public class SampleAuthority implements ChoiceAuthority {
    private String pluginInstanceName;

-    protected static String values[] = {
+    protected static String[] values = {
        "sun",
        "mon",
        "tue",
@@ -24,7 +24,7 @@ public class SampleAuthority implements ChoiceAuthority {
        "sat"
    };

-    protected static String labels[] = {
+    protected static String[] labels = {
        "Sunday",
        "Monday",
        "Tuesday",
@@ -37,7 +37,7 @@ public class SampleAuthority implements ChoiceAuthority {
    @Override
    public Choices getMatches(String query, int start, int limit, String locale) {
        int dflt = -1;
-        Choice v[] = new Choice[values.length];
+        Choice[] v = new Choice[values.length];
        for (int i = 0; i < values.length; ++i) {
            v[i] = new Choice(String.valueOf(i), values[i], labels[i]);
            if (values[i].equalsIgnoreCase(query)) {
@@ -51,7 +51,7 @@ public class SampleAuthority implements ChoiceAuthority {
    public Choices getBestMatch(String text, String locale) {
        for (int i = 0; i < values.length; ++i) {
            if (text.equalsIgnoreCase(values[i])) {
-                Choice v[] = new Choice[1];
+                Choice[] v = new Choice[1];
                v[0] = new Choice(String.valueOf(i), values[i], labels[i]);
                return new Choices(v, 0, v.length, Choices.CF_UNCERTAIN, false, 0);
            }
--- a/dspace-api/src/main/java/org/dspace/content/authority/SolrAuthority.java
+++ b/dspace-api/src/main/java/org/dspace/content/authority/SolrAuthority.java
@@ -82,9 +82,9 @@ public class SolrAuthority implements ChoiceAuthority {
                localSearchField = searchField + "_" + locale;
            }

-            String query = "(" + toQuery(searchField, text) + ") ";
+            String query = "(" + toQuery(searchField, text) + ")";
            if (!localSearchField.equals("")) {
-                query += " or (" + toQuery(localSearchField, text) + ")";
+                query += " OR (" + toQuery(localSearchField, text) + ")";
            }
            queryArgs.setQuery(query);
        }
@@ -200,7 +200,7 @@ public class SolrAuthority implements ChoiceAuthority {
    }

    private String toQuery(String searchField, String text) {
-        return searchField + ":(" + text.toLowerCase().replaceAll(":", "\\\\:") + "*) or " + searchField + ":(" + text
+        return searchField + ":(" + text.toLowerCase().replaceAll(":", "\\\\:") + "*) OR " + searchField + ":(" + text
            .toLowerCase().replaceAll(":", "\\\\:") + ")";
    }

--- a/dspace-api/src/main/java/org/dspace/content/crosswalk/AIPDIMCrosswalk.java
+++ b/dspace-api/src/main/java/org/dspace/content/crosswalk/AIPDIMCrosswalk.java
@@ -46,7 +46,7 @@ public class AIPDIMCrosswalk
     */
    @Override
    public Namespace[] getNamespaces() {
-        Namespace result[] = new Namespace[1];
+        Namespace[] result = new Namespace[1];
        result[0] = XSLTCrosswalk.DIM_NS;
        return result;
    }
--- a/dspace-api/src/main/java/org/dspace/content/crosswalk/AIPTechMDCrosswalk.java
+++ b/dspace-api/src/main/java/org/dspace/content/crosswalk/AIPTechMDCrosswalk.java
@@ -98,7 +98,7 @@ public class AIPTechMDCrosswalk implements IngestionCrosswalk, DisseminationCros
     */
    @Override
    public Namespace[] getNamespaces() {
-        Namespace result[] = new Namespace[1];
+        Namespace[] result = new Namespace[1];
        result[0] = XSLTCrosswalk.DIM_NS;
        return result;
    }
--- a/dspace-api/src/main/java/org/dspace/content/crosswalk/DIMDisseminationCrosswalk.java
+++ b/dspace-api/src/main/java/org/dspace/content/crosswalk/DIMDisseminationCrosswalk.java
@@ -45,7 +45,7 @@ public class DIMDisseminationCrosswalk

    protected final ItemService itemService = ContentServiceFactory.getInstance().getItemService();

-    private static final Namespace namespaces[] = {DIM_NS};
+    private static final Namespace[] namespaces = {DIM_NS};

    @Override
    public Namespace[] getNamespaces() {
--- a/dspace-api/src/main/java/org/dspace/content/crosswalk/METSDisseminationCrosswalk.java
+++ b/dspace-api/src/main/java/org/dspace/content/crosswalk/METSDisseminationCrosswalk.java
@@ -14,6 +14,7 @@ import java.util.ArrayList;
 import java.util.List;

 import org.apache.commons.lang3.ArrayUtils;
+import org.dspace.app.util.XMLUtils;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.content.DSpaceObject;
 import org.dspace.content.packager.PackageDisseminator;
@@ -62,7 +63,7 @@ public class METSDisseminationCrosswalk
    private static final Namespace METS_NS = Namespace
        .getNamespace("mets", "http://www.loc.gov/METS/");

-    private static final Namespace namespaces[] = {METS_NS, MODS_NS, XLINK_NS};
+    private static final Namespace[] namespaces = {METS_NS, MODS_NS, XLINK_NS};

    /**
     * URL of METS XML Schema
@@ -129,7 +130,7 @@ public class METSDisseminationCrosswalk

            try {
                //Return just the root Element of the METS file
-                SAXBuilder builder = new SAXBuilder();
+                SAXBuilder builder = XMLUtils.getSAXBuilder();
                Document metsDocument = builder.build(tempFile);
                return metsDocument.getRootElement();
            } catch (JDOMException je) {
--- a/dspace-api/src/main/java/org/dspace/content/crosswalk/METSRightsCrosswalk.java
+++ b/dspace-api/src/main/java/org/dspace/content/crosswalk/METSRightsCrosswalk.java
@@ -70,7 +70,7 @@ public class METSRightsCrosswalk
    private String schemaLocation =
        METSRights_NS.getURI() + " http://cosimo.stanford.edu/sdr/metsrights.xsd";

-    private static final Namespace namespaces[] = {METSRights_NS};
+    private static final Namespace[] namespaces = {METSRights_NS};

    private static final Map<Integer, String> otherTypesMapping = new HashMap<Integer, String>();

--- a/dspace-api/src/main/java/org/dspace/content/crosswalk/MODSDisseminationCrosswalk.java
+++ b/dspace-api/src/main/java/org/dspace/content/crosswalk/MODSDisseminationCrosswalk.java
@@ -22,6 +22,7 @@ import java.util.Properties;
 import org.apache.commons.lang3.ArrayUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.dspace.app.util.XMLUtils;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.content.Collection;
 import org.dspace.content.Community;
@@ -108,7 +109,7 @@ public class MODSDisseminationCrosswalk extends SelfNamedPlugin
     * Fill in the plugin alias table from DSpace configuration entries
     * for configuration files for flavors of MODS crosswalk:
     */
-    private static String aliases[] = null;
+    private static String[] aliases = null;

    static {
        List<String> aliasList = new ArrayList<>();
@@ -116,11 +117,11 @@ public class MODSDisseminationCrosswalk extends SelfNamedPlugin
        for (String key : keys) {
            aliasList.add(key.substring(CONFIG_PREFIX.length()));
        }
-        aliases = (String[]) aliasList.toArray(new String[aliasList.size()]);
+        aliases = aliasList.toArray(new String[0]);
    }

    public static String[] getPluginNames() {
-        return (String[]) ArrayUtils.clone(aliases);
+        return ArrayUtils.clone(aliases);
    }

    /**
@@ -132,7 +133,7 @@ public class MODSDisseminationCrosswalk extends SelfNamedPlugin
    private static final Namespace XLINK_NS =
        Namespace.getNamespace("xlink", "http://www.w3.org/1999/xlink");

-    private static final Namespace namespaces[] = {MODS_NS, XLINK_NS};
+    private static final Namespace[] namespaces = {MODS_NS, XLINK_NS};

    /**
     * URL of MODS XML Schema
@@ -144,7 +145,7 @@ public class MODSDisseminationCrosswalk extends SelfNamedPlugin
        MODS_NS.getURI() + " " + MODS_XSD;

    private static final XMLOutputter outputUgly = new XMLOutputter();
-    private static final SAXBuilder builder = new SAXBuilder();
+    private static final SAXBuilder builder = XMLUtils.getSAXBuilder();

    private Map<String, modsTriple> modsMap = null;

@@ -258,7 +259,7 @@ public class MODSDisseminationCrosswalk extends SelfNamedPlugin
            while (pe.hasMoreElements()) {
                String qdc = pe.nextElement();
                String val = modsConfig.getProperty(qdc);
-                String pair[] = val.split("\\s+\\|\\s+", 2);
+                String[] pair = val.split("\\s+\\|\\s+", 2);
                if (pair.length < 2) {
                    log.warn("Illegal MODS mapping in " + propsFile.toString() + ", line = " +
                                 qdc + " = " + val);
--- a/dspace-api/src/main/java/org/dspace/content/crosswalk/OREDisseminationCrosswalk.java
+++ b/dspace-api/src/main/java/org/dspace/content/crosswalk/OREDisseminationCrosswalk.java
@@ -65,7 +65,7 @@ public class OREDisseminationCrosswalk
                                                                                     .getConfigurationService();


-    private static final Namespace namespaces[] = {ATOM_NS, ORE_NS, ORE_ATOM, RDF_NS, DCTERMS_NS, DS_NS};
+    private static final Namespace[] namespaces = {ATOM_NS, ORE_NS, ORE_ATOM, RDF_NS, DCTERMS_NS, DS_NS};


    @Override
@@ -331,14 +331,14 @@ public class OREDisseminationCrosswalk
     * @param sourceString source unescaped string
     */
    private String encodeForURL(String sourceString) {
-        Character lowalpha[] = {'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i',
+        Character[] lowalpha = {'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i',
            'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r',
            's', 't', 'u', 'v', 'w', 'x', 'y', 'z'};
-        Character upalpha[] = {'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I',
+        Character[] upalpha = {'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I',
            'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R',
            'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z'};
-        Character digit[] = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9'};
-        Character mark[] = {'-', '_', '.', '!', '~', '*', '\'', '/', '(', ')'};
+        Character[] digit = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9'};
+        Character[] mark = {'-', '_', '.', '!', '~', '*', '\'', '/', '(', ')'};

        // reserved
        //Character reserved[] = {';' , '/' , '?' , ':' , '@' , '&' , '=' , '+' , '$' , ',' ,'%', '#'};
--- a/dspace-api/src/main/java/org/dspace/content/crosswalk/OREIngestionCrosswalk.java
+++ b/dspace-api/src/main/java/org/dspace/content/crosswalk/OREIngestionCrosswalk.java
@@ -220,17 +220,17 @@ public class OREIngestionCrosswalk
     * @param sourceString source unescaped string
     */
    private String encodeForURL(String sourceString) {
-        Character lowalpha[] = {'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i',
+        Character[] lowalpha = {'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i',
            'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r',
            's', 't', 'u', 'v', 'w', 'x', 'y', 'z'};
-        Character upalpha[] = {'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I',
+        Character[] upalpha = {'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I',
            'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R',
            'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z'};
-        Character digit[] = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9'};
-        Character mark[] = {'-', '_', '.', '!', '~', '*', '\'', '(', ')'};
+        Character[] digit = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9'};
+        Character[] mark = {'-', '_', '.', '!', '~', '*', '\'', '(', ')'};

        // reserved
-        Character reserved[] = {';', '/', '?', ':', '@', '&', '=', '+', '$', ',', '%', '#'};
+        Character[] reserved = {';', '/', '?', ':', '@', '&', '=', '+', '$', ',', '%', '#'};

        Set<Character> URLcharsSet = new HashSet<Character>();
        URLcharsSet.addAll(Arrays.asList(lowalpha));
--- a/dspace-api/src/main/java/org/dspace/content/crosswalk/PREMISCrosswalk.java
+++ b/dspace-api/src/main/java/org/dspace/content/crosswalk/PREMISCrosswalk.java
@@ -20,9 +20,7 @@ import org.apache.logging.log4j.Logger;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.content.Bitstream;
 import org.dspace.content.BitstreamFormat;
-import org.dspace.content.Bundle;
 import org.dspace.content.DSpaceObject;
-import org.dspace.content.Item;
 import org.dspace.content.factory.ContentServiceFactory;
 import org.dspace.content.service.BitstreamFormatService;
 import org.dspace.content.service.BitstreamService;
@@ -58,7 +56,7 @@ public class PREMISCrosswalk
    private final String schemaLocation =
        PREMIS_NS.getURI() + " http://www.loc.gov/standards/premis/PREMIS-v1-0.xsd";

-    private static final Namespace namespaces[] = {PREMIS_NS};
+    private static final Namespace[] namespaces = {PREMIS_NS};

    protected BitstreamService bitstreamService
            = ContentServiceFactory.getInstance().getBitstreamService();
@@ -224,29 +222,17 @@ public class PREMISCrosswalk
        //  c. made-up name based on sequence ID and extension.
        String sid = String.valueOf(bitstream.getSequenceID());
        String baseUrl = configurationService.getProperty("dspace.ui.url");
-        String handle = null;
-        // get handle of parent Item of this bitstream, if there is one:
-        List<Bundle> bn = bitstream.getBundles();
-        if (bn.size() > 0) {
-            List<Item> bi = bn.get(0).getItems();
-            if (bi.size() > 0) {
-                handle = bi.get(0).getHandle();
-            }
-        }
        // get or make up name for bitstream:
        String bsName = bitstream.getName();
        if (bsName == null) {
            List<String> ext = bitstream.getFormat(context).getExtensions();
            bsName = "bitstream_" + sid + (ext.size() > 0 ? ext.get(0) : "");
        }
-        if (handle != null && baseUrl != null) {
+        if (baseUrl != null) {
            oiv.setText(baseUrl
-                            + "/bitstream/"
-                            + URLEncoder.encode(handle, "UTF-8")
-                            + "/"
-                            + sid
-                            + "/"
-                            + URLEncoder.encode(bsName, "UTF-8"));
+                + "/bitstreams/"
+                + bitstream.getID()
+                + "/download");
        } else {
            oiv.setText(URLEncoder.encode(bsName, "UTF-8"));
        }
--- a/dspace-api/src/main/java/org/dspace/content/crosswalk/QDCCrosswalk.java
+++ b/dspace-api/src/main/java/org/dspace/content/crosswalk/QDCCrosswalk.java
@@ -22,6 +22,7 @@ import java.util.Properties;
 import org.apache.commons.lang3.ArrayUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.dspace.app.util.XMLUtils;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.content.DSpaceObject;
 import org.dspace.content.Item;
@@ -108,7 +109,7 @@ public class QDCCrosswalk extends SelfNamedPlugin
    private final Map<String, String> element2qdc = new HashMap<>();

    // the XML namespaces from config file for this name.
-    private Namespace namespaces[] = null;
+    private Namespace[] namespaces = null;

    private static final Namespace DCTERMS_NS =
        Namespace.getNamespace("dcterms", "http://purl.org/dc/terms/");
@@ -125,7 +126,7 @@ public class QDCCrosswalk extends SelfNamedPlugin
    // XML schemaLocation fragment for this crosswalk, from config.
    private String schemaLocation = null;

-    private static final SAXBuilder builder = new SAXBuilder();
+    private static final SAXBuilder builder = XMLUtils.getSAXBuilder();

    protected ItemService itemService = ContentServiceFactory.getInstance().getItemService();

@@ -138,7 +139,7 @@ public class QDCCrosswalk extends SelfNamedPlugin
     * Fill in the plugin-name table from DSpace configuration entries
     * for configuration files for flavors of QDC crosswalk:
     */
-    private static String aliases[] = null;
+    private static String[] aliases = null;

    static {
        initStatic();
@@ -432,7 +433,7 @@ public class QDCCrosswalk extends SelfNamedPlugin
            if ("qualifieddc".equals(me.getName())) {
                ingest(context, dso, me.getChildren(), createMissingMetadataFields);
            } else if (element2qdc.containsKey(key)) {
-                String qdc[] = (element2qdc.get(key)).split("\\.");
+                String[] qdc = (element2qdc.get(key)).split("\\.");

                MetadataField metadataField;
                if (qdc.length == 3) {
--- a/dspace-api/src/main/java/org/dspace/content/crosswalk/RoleCrosswalk.java
+++ b/dspace-api/src/main/java/org/dspace/content/crosswalk/RoleCrosswalk.java
@@ -13,6 +13,7 @@ import java.io.IOException;
 import java.sql.SQLException;
 import java.util.List;

+import org.dspace.app.util.XMLUtils;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.content.DSpaceObject;
 import org.dspace.content.packager.PackageDisseminator;
@@ -72,7 +73,7 @@ public class RoleCrosswalk
     */
    @Override
    public Namespace[] getNamespaces() {
-        Namespace result[] = new Namespace[1];
+        Namespace[] result = new Namespace[1];
        result[0] = RoleDisseminator.DSROLES_NS;
        return result;
    }
@@ -208,7 +209,7 @@ public class RoleCrosswalk

            try {
                //Try to parse our XML results (which were disseminated by the Packager)
-                SAXBuilder builder = new SAXBuilder();
+                SAXBuilder builder = XMLUtils.getSAXBuilder();
                Document xmlDocument = builder.build(tempFile);
                //If XML parsed successfully, return root element of doc
                if (xmlDocument != null && xmlDocument.hasRootElement()) {
--- a/dspace-api/src/main/java/org/dspace/content/crosswalk/SimpleDCDisseminationCrosswalk.java
+++ b/dspace-api/src/main/java/org/dspace/content/crosswalk/SimpleDCDisseminationCrosswalk.java
@@ -53,10 +53,10 @@ public class SimpleDCDisseminationCrosswalk extends SelfNamedPlugin
    private static final String schemaLocation =
        DC_NS.getURI() + " " + DC_XSD;

-    private static final Namespace namespaces[] =
+    private static final Namespace[] namespaces =
        {DC_NS, XSI_NS};

-    private static final String aliases[] = {"SimpleDC", "DC"};
+    private static final String[] aliases = {"SimpleDC", "DC"};
    protected final ItemService itemService = ContentServiceFactory.getInstance().getItemService();


--- a/dspace-api/src/main/java/org/dspace/content/crosswalk/XSLTDisseminationCrosswalk.java
+++ b/dspace-api/src/main/java/org/dspace/content/crosswalk/XSLTDisseminationCrosswalk.java
@@ -106,7 +106,7 @@ public class XSLTDisseminationCrosswalk
    protected static final ConfigurationService configurationService
            = DSpaceServicesFactory.getInstance().getConfigurationService();

-    private static final String aliases[] = makeAliases(DIRECTION);
+    private static final String[] aliases = makeAliases(DIRECTION);

    public static String[] getPluginNames() {
        return (String[]) ArrayUtils.clone(aliases);
@@ -116,7 +116,7 @@ public class XSLTDisseminationCrosswalk
    // until there's an instance, so do it in constructor.
    private String schemaLocation = null;

-    private Namespace namespaces[] = null;
+    private Namespace[] namespaces = null;

    private boolean preferList = false;

--- a/dspace-api/src/main/java/org/dspace/content/crosswalk/XSLTIngestionCrosswalk.java
+++ b/dspace-api/src/main/java/org/dspace/content/crosswalk/XSLTIngestionCrosswalk.java
@@ -18,6 +18,7 @@ import javax.xml.transform.TransformerException;

 import org.apache.commons.lang3.ArrayUtils;
 import org.apache.logging.log4j.Logger;
+import org.dspace.app.util.XMLUtils;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.content.Collection;
 import org.dspace.content.Community;
@@ -62,7 +63,7 @@ public class XSLTIngestionCrosswalk

    private static final String DIRECTION = "submission";

-    private static final String aliases[] = makeAliases(DIRECTION);
+    private static final String[] aliases = makeAliases(DIRECTION);

    private static final CommunityService communityService = ContentServiceFactory.getInstance().getCommunityService();
    private static final CollectionService collectionService = ContentServiceFactory.getInstance()
@@ -297,7 +298,7 @@ public class XSLTIngestionCrosswalk
                "Failed to initialize transformer, probably error loading stylesheet.");
        }

-        SAXBuilder builder = new SAXBuilder();
+        SAXBuilder builder = XMLUtils.getSAXBuilder();
        Document inDoc = builder.build(new FileInputStream(argv[i + 1]));
        XMLOutputter outputter = new XMLOutputter(Format.getPrettyFormat());
        List dimList;
--- a/dspace-api/src/main/java/org/dspace/content/dao/impl/BitstreamDAOImpl.java
+++ b/dspace-api/src/main/java/org/dspace/content/dao/impl/BitstreamDAOImpl.java
@@ -178,7 +178,7 @@ public class BitstreamDAOImpl extends AbstractHibernateDSODAO<Bitstream> impleme
    @Override
    public int countWithNoPolicy(Context context) throws SQLException {
        Query query = createQuery(context,
-                                  "SELECT count(bit.id) from Bitstream bit where bit.deleted<>true and bit.id not in" +
+                                  "SELECT count(bit.id) from Bitstream bit where bit.deleted<>true and bit not in" +
                                      " (select res.dSpaceObject from ResourcePolicy res where res.resourceTypeId = " +
                                      ":typeId )");
        query.setParameter("typeId", Constants.BITSTREAM);
--- a/dspace-api/src/main/java/org/dspace/content/dao/impl/CollectionDAOImpl.java
+++ b/dspace-api/src/main/java/org/dspace/content/dao/impl/CollectionDAOImpl.java
@@ -12,6 +12,7 @@ import java.util.AbstractMap;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.UUID;

 import jakarta.persistence.Query;
 import jakarta.persistence.criteria.CriteriaBuilder;
@@ -19,6 +20,7 @@ import jakarta.persistence.criteria.CriteriaQuery;
 import jakarta.persistence.criteria.Join;
 import jakarta.persistence.criteria.Predicate;
 import jakarta.persistence.criteria.Root;
+import org.apache.logging.log4j.Logger;
 import org.dspace.authorize.ResourcePolicy;
 import org.dspace.authorize.ResourcePolicy_;
 import org.dspace.content.Collection;
@@ -40,6 +42,11 @@ import org.dspace.eperson.Group;
 * @author kevinvandevelde at atmire.com
 */
 public class CollectionDAOImpl extends AbstractHibernateDSODAO<Collection> implements CollectionDAO {
+    /**
+     * log4j logger
+     */
+    private static Logger log = org.apache.logging.log4j.LogManager.getLogger(CollectionDAOImpl.class);
+
    protected CollectionDAOImpl() {
        super();
    }
@@ -159,7 +166,7 @@ public class CollectionDAOImpl extends AbstractHibernateDSODAO<Collection> imple

    @Override
    public List<Collection> findCollectionsWithSubscribers(Context context) throws SQLException {
-        return list(createQuery(context, "SELECT DISTINCT c FROM Collection c JOIN Subscription s ON c.id = " +
+        return list(createQuery(context, "SELECT DISTINCT c FROM Collection c JOIN Subscription s ON c = " +
                "s.dSpaceObject"));
    }

@@ -172,14 +179,25 @@ public class CollectionDAOImpl extends AbstractHibernateDSODAO<Collection> imple
    @SuppressWarnings("unchecked")
    public List<Map.Entry<Collection, Long>> getCollectionsWithBitstreamSizesTotal(Context context)
        throws SQLException {
-        String q = "select col as collection, sum(bit.sizeBytes) as totalBytes from Item i join i.collections col " +
-            "join i.bundles bun join bun.bitstreams bit group by col";
+        String q = "select col.id, sum(bit.sizeBytes) as totalBytes from Item i join i.collections col " +
+            "join i.bundles bun join bun.bitstreams bit group by col.id";
        Query query = createQuery(context, q);

+        CriteriaBuilder criteriaBuilder = getCriteriaBuilder(context);
+
        List<Object[]> list = query.getResultList();
        List<Map.Entry<Collection, Long>> returnList = new ArrayList<>(list.size());
        for (Object[] o : list) {
-            returnList.add(new AbstractMap.SimpleEntry<>((Collection) o[0], (Long) o[1]));
+            CriteriaQuery<Collection> criteriaQuery = criteriaBuilder.createQuery(Collection.class);
+            Root<Collection> collectionRoot = criteriaQuery.from(Collection.class);
+            criteriaQuery.select(collectionRoot).where(criteriaBuilder.equal(collectionRoot.get("id"), (UUID) o[0]));
+            Query collectionQuery = createQuery(context, criteriaQuery);
+            Collection collection = (Collection) collectionQuery.getSingleResult();
+            if (collection != null) {
+                returnList.add(new AbstractMap.SimpleEntry<>(collection, (Long) o[1]));
+            } else {
+                log.warn("Unable to find Collection with UUID: {}", o[0]);
+            }
        }
        return returnList;
    }
--- a/dspace-api/src/main/java/org/dspace/content/packager/AbstractMETSDisseminator.java
+++ b/dspace-api/src/main/java/org/dspace/content/packager/AbstractMETSDisseminator.java
@@ -560,7 +560,7 @@ public abstract class AbstractMETSDisseminator
            //create our metadata element (dmdSec, techMd, sourceMd, rightsMD etc.)
            MdSec mdSec = (MdSec) mdSecClass.getDeclaredConstructor().newInstance();
            mdSec.setID(gensym(mdSec.getLocalName()));
-            String parts[] = typeSpec.split(":", 2);
+            String[] parts = typeSpec.split(":", 2);
            String xwalkName;
            String metsName;

@@ -685,7 +685,7 @@ public abstract class AbstractMETSDisseminator
    // add either a techMd or sourceMd element to amdSec.
    // mdSecClass determines which type.
    // mdTypes[] is array of "[metsName:]PluginName" strings, maybe empty.
-    protected void addToAmdSec(AmdSec fAmdSec, String mdTypes[], Class mdSecClass,
+    protected void addToAmdSec(AmdSec fAmdSec, String[] mdTypes, Class mdSecClass,
                               Context context, DSpaceObject dso,
                               PackageParameters params,
                               MdStreamCache extraStreams)
@@ -708,10 +708,10 @@ public abstract class AbstractMETSDisseminator
            IOException, AuthorizeException, NoSuchMethodException,
            InstantiationException, IllegalAccessException, IllegalArgumentException,
            IllegalArgumentException, InvocationTargetException {
-        String techMdTypes[] = getTechMdTypes(context, dso, params);
-        String rightsMdTypes[] = getRightsMdTypes(context, dso, params);
-        String sourceMdTypes[] = getSourceMdTypes(context, dso, params);
-        String digiprovMdTypes[] = getDigiprovMdTypes(context, dso, params);
+        String[] techMdTypes = getTechMdTypes(context, dso, params);
+        String[] rightsMdTypes = getRightsMdTypes(context, dso, params);
+        String[] sourceMdTypes = getSourceMdTypes(context, dso, params);
+        String[] digiprovMdTypes = getDigiprovMdTypes(context, dso, params);

        // only bother if there are any sections to add
        if ((techMdTypes.length + sourceMdTypes.length +
@@ -794,10 +794,10 @@ public abstract class AbstractMETSDisseminator
        // add DMD sections
        // Each type element MAY be either just a MODS-and-crosswalk name, OR
        // a combination "MODS-name:crosswalk-name" (e.g. "DC:qDC").
-        String dmdTypes[] = getDmdTypes(context, dso, params);
+        String[] dmdTypes = getDmdTypes(context, dso, params);

        // record of ID of each dmdsec to make DMDID in structmap.
-        String dmdId[] = new String[dmdTypes.length];
+        String[] dmdId = new String[dmdTypes.length];
        for (int i = 0; i < dmdTypes.length; ++i) {
            MdSec dmdSec = makeMdSec(context, dso, DmdSec.class, dmdTypes[i], params, extraStreams);
            if (dmdSec != null) {
@@ -981,7 +981,7 @@ public abstract class AbstractMETSDisseminator
            // add metadata & info for Template Item, if exists
            Item templateItem = collection.getTemplateItem();
            if (templateItem != null) {
-                String templateDmdId[] = new String[dmdTypes.length];
+                String[] templateDmdId = new String[dmdTypes.length];
                // index where we should add the first template item <dmdSec>.
                // Index = number of <dmdSecs> already added + number of <metsHdr> = # of dmdSecs + 1
                // (Note: in order to be a valid METS file, all dmdSecs must be before the 1st amdSec)
@@ -1239,8 +1239,8 @@ public abstract class AbstractMETSDisseminator
        try {
            // add crosswalk's namespaces and schemaLocation to this element:
            String raw = xwalk.getSchemaLocation();
-            String sloc[] = raw == null ? null : raw.split("\\s+");
-            Namespace ns[] = xwalk.getNamespaces();
+            String[] sloc = raw == null ? null : raw.split("\\s+");
+            Namespace[] ns = xwalk.getNamespaces();
            for (int i = 0; i < ns.length; ++i) {
                String uri = ns[i].getURI();
                if (sloc != null && sloc.length > 1 && uri.equals(sloc[0])) {
--- a/dspace-api/src/main/java/org/dspace/content/packager/AbstractMETSIngester.java
+++ b/dspace-api/src/main/java/org/dspace/content/packager/AbstractMETSIngester.java
@@ -498,8 +498,11 @@ public abstract class AbstractMETSIngester extends AbstractPackageIngester {
                // Finish creating the item. This actually assigns the handle,
                // and will either install item immediately or start a workflow, based on params
                PackageUtils.finishCreateItem(context, wsi, handle, params);
+            } else {
+                // We should have a workspace item during ingest, so this code is only here for safety.
+                // Update the object to make sure all changes are committed
+                PackageUtils.updateDSpaceObject(context, dso);
            }
-
        } else if (type == Constants.COLLECTION || type == Constants.COMMUNITY) {
            // Add logo if one is referenced from manifest
            addContainerLogo(context, dso, manifest, pkgFile, params);
@@ -513,6 +516,9 @@ public abstract class AbstractMETSIngester extends AbstractPackageIngester {
            // (this allows subclasses to do some final validation / changes as
            // necessary)
            finishObject(context, dso, params);
+
+            // Update the object to make sure all changes are committed
+            PackageUtils.updateDSpaceObject(context, dso);
        } else if (type == Constants.SITE) {
            // Do nothing by default -- Crosswalks will handle anything necessary to ingest at Site-level

@@ -520,18 +526,15 @@ public abstract class AbstractMETSIngester extends AbstractPackageIngester {
            // (this allows subclasses to do some final validation / changes as
            // necessary)
            finishObject(context, dso, params);
+
+            // Update the object to make sure all changes are committed
+            PackageUtils.updateDSpaceObject(context, dso);
        } else {
            throw new PackageValidationException(
                "Unknown DSpace Object type in package, type="
                    + String.valueOf(type));
        }

-        // -- Step 6 --
-        // Finish things up!
-
-        // Update the object to make sure all changes are committed
-        PackageUtils.updateDSpaceObject(context, dso);
-
        return dso;
    }

@@ -1419,7 +1422,7 @@ public abstract class AbstractMETSIngester extends AbstractPackageIngester {
     * @throws AuthorizeException         if authorization error
     */
    public abstract void crosswalkObjectDmd(Context context, DSpaceObject dso,
-                                            METSManifest manifest, MdrefManager callback, Element dmds[],
+                                            METSManifest manifest, MdrefManager callback, Element[] dmds,
                                            PackageParameters params) throws CrosswalkException,
        PackageValidationException, AuthorizeException, SQLException,
        IOException;
--- a/dspace-api/src/main/java/org/dspace/content/packager/DSpaceAIPIngester.java
+++ b/dspace-api/src/main/java/org/dspace/content/packager/DSpaceAIPIngester.java
@@ -109,7 +109,7 @@ public class DSpaceAIPIngester
    public void crosswalkObjectDmd(Context context, DSpaceObject dso,
                                   METSManifest manifest,
                                   MdrefManager callback,
-                                   Element dmds[], PackageParameters params)
+                                   Element[] dmds, PackageParameters params)
        throws CrosswalkException, PackageValidationException,
        AuthorizeException, SQLException, IOException {
        int found = -1;
--- a/dspace-api/src/main/java/org/dspace/content/packager/DSpaceMETSDisseminator.java
+++ b/dspace-api/src/main/java/org/dspace/content/packager/DSpaceMETSDisseminator.java
@@ -138,7 +138,7 @@ public class DSpaceMETSDisseminator

        // XXX FIXME maybe let dmd choices be configured in DSpace config?

-        String result[] = null;
+        String[] result = null;
        if (params != null) {
            result = params.getProperties("dmd");
        }
@@ -163,7 +163,7 @@ public class DSpaceMETSDisseminator
    public String[] getTechMdTypes(Context context, DSpaceObject dso, PackageParameters params)
        throws SQLException, IOException, AuthorizeException {
        if (dso.getType() == Constants.BITSTREAM) {
-            String result[] = new String[1];
+            String[] result = new String[1];
            result[0] = "PREMIS";
            return result;
        } else {
--- a/dspace-api/src/main/java/org/dspace/content/packager/DSpaceMETSIngester.java
+++ b/dspace-api/src/main/java/org/dspace/content/packager/DSpaceMETSIngester.java
@@ -81,7 +81,7 @@ public class DSpaceMETSIngester
    public void crosswalkObjectDmd(Context context, DSpaceObject dso,
                                   METSManifest manifest,
                                   MdrefManager callback,
-                                   Element dmds[], PackageParameters params)
+                                   Element[] dmds, PackageParameters params)
        throws CrosswalkException, PackageValidationException,
        AuthorizeException, SQLException, IOException {
        int found = -1;
@@ -185,7 +185,7 @@ public class DSpaceMETSIngester
        PluginService pluginService = CoreServiceFactory.getInstance().getPluginService();

        // get the MediaFilter that would create this bundle:
-        String mfNames[] = pluginService.getAllPluginNames(MediaFilter.class);
+        String[] mfNames = pluginService.getAllPluginNames(MediaFilter.class);

        for (int i = 0; i < mfNames.length; ++i) {
            MediaFilter mf = (MediaFilter) pluginService.getNamedPlugin(MediaFilter.class, mfNames[i]);
--- a/dspace-api/src/main/java/org/dspace/content/packager/METSManifest.java
+++ b/dspace-api/src/main/java/org/dspace/content/packager/METSManifest.java
@@ -20,6 +20,7 @@ import java.util.List;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.dspace.app.util.XMLUtils;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.content.Bitstream;
 import org.dspace.content.Bundle;
@@ -209,7 +210,7 @@ public class METSManifest {
            //  mets.xsd.dc =  http://purl.org/dc/elements/1.1/ dc.xsd
            // (filename is relative to {dspace_dir}/config/schemas/)
            String spec = configurationService.getProperty(key);
-            String val[] = spec.trim().split("\\s+");
+            String[] val = spec.trim().split("\\s+");
            if (val.length == 2) {
                File xsd = new File(xsdPath1, val[1]);
                if (!xsd.exists()) {
@@ -220,7 +221,7 @@ public class METSManifest {
                } else {
                    try {
                        String u = xsd.toURI().toURL().toString();
-                        if (result.length() > 0) {
+                        if (!result.isEmpty()) {
                            result.append(" ");
                        }
                        result.append(val[0]).append(" ").append(u);
@@ -265,12 +266,13 @@ public class METSManifest {
    public static METSManifest create(InputStream is, boolean validate, String configName)
        throws IOException,
        MetadataValidationException {
-        SAXBuilder builder = new SAXBuilder(validate);

+        SAXBuilder builder = XMLUtils.getSAXBuilder();
        builder.setIgnoringElementContentWhitespace(true);

        // Set validation feature
        if (validate) {
+            builder.setValidation(true);
            builder.setFeature("http://apache.org/xml/features/validation/schema", true);

            // Tell the parser where local copies of schemas are, to speed up
@@ -278,10 +280,6 @@ public class METSManifest {
            if (localSchemas.length() > 0) {
                builder.setProperty("http://apache.org/xml/properties/schema/external-schemaLocation", localSchemas);
            }
-        } else {
-            // disallow DTD parsing to ensure no XXE attacks can occur.
-            // See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
-            builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        }

        // Parse the METS file
@@ -653,7 +651,7 @@ public class METSManifest {

                        String mimeType = mdWrap.getAttributeValue("MIMETYPE");
                        if (mimeType != null && mimeType.equalsIgnoreCase("text/xml")) {
-                            byte value[] = Base64.decodeBase64(bin.getText().getBytes(StandardCharsets.UTF_8));
+                            byte[] value = Base64.decodeBase64(bin.getText().getBytes(StandardCharsets.UTF_8));
                            Document mdd = parser.build(new ByteArrayInputStream(value));
                            List<Element> result = new ArrayList<>(1);
                            result.add(mdd.getRootElement());
@@ -721,7 +719,7 @@ public class METSManifest {
                    throw new MetadataValidationException(
                        "Invalid METS Manifest: mdWrap element with neither xmlData nor binData child.");
                } else {
-                    byte value[] = Base64.decodeBase64(bin.getText().getBytes(StandardCharsets.UTF_8));
+                    byte[] value = Base64.decodeBase64(bin.getText().getBytes(StandardCharsets.UTF_8));
                    return new ByteArrayInputStream(value);
                }
            } else {
@@ -952,8 +950,8 @@ public class METSManifest {
    public Element[] getDmdElements(String dmdList)
        throws MetadataValidationException {
        if (dmdList != null && !dmdList.isEmpty()) {
-            String dmdID[] = dmdList.split("\\s+");
-            Element result[] = new Element[dmdID.length];
+            String[] dmdID = dmdList.split("\\s+");
+            Element[] result = new Element[dmdID.length];

            for (int i = 0; i < dmdID.length; ++i) {
                result[i] = getElementByXPath("mets:dmdSec[@ID=\"" + dmdID[i] + "\"]", false);
@@ -982,7 +980,7 @@ public class METSManifest {
            }
            return new Element[0];
        }
-        String amdID[] = amds.split("\\s+");
+        String[] amdID = amds.split("\\s+");
        List<Element> resultList = new ArrayList<>();
        for (int i = 0; i < amdID.length; ++i) {
            List rmds = getElementByXPath("mets:amdSec[@ID=\"" + amdID[i] + "\"]", false).
@@ -1169,7 +1167,7 @@ public class METSManifest {
                                    "Invalid METS Manifest: mdWrap element for streaming crosswalk without binData " +
                                        "child.");
                            } else {
-                                byte value[] = Base64.decodeBase64(bin.getText().getBytes(StandardCharsets.UTF_8));
+                                byte[] value = Base64.decodeBase64(bin.getText().getBytes(StandardCharsets.UTF_8));
                                sxwalk.ingest(context, dso,
                                              new ByteArrayInputStream(value),
                                              mdWrap.getAttributeValue("MIMETYPE"));
@@ -1230,7 +1228,7 @@ public class METSManifest {
            log.warn("Got no bitstream ADMID, file@ID=" + fileId);
            return;
        }
-        String amdID[] = amds.split("\\s+");
+        String[] amdID = amds.split("\\s+");
        for (int i = 0; i < amdID.length; ++i) {
            Element amdSec = getElementByXPath("mets:amdSec[@ID=\"" + amdID[i] + "\"]", false);
            for (Iterator ti = amdSec.getChildren("techMD", metsNS).iterator(); ti.hasNext(); ) {
@@ -1264,7 +1262,7 @@ public class METSManifest {
            log.warn("Got no bitstream ADMID, file@ID=" + fileId);
            return;
        }
-        String amdID[] = amds.split("\\s+");
+        String[] amdID = amds.split("\\s+");
        for (int i = 0; i < amdID.length; ++i) {
            Element amdSec = getElementByXPath("mets:amdSec[@ID=\"" + amdID[i] + "\"]", false);
            for (Iterator ti = amdSec.getChildren("techMD", metsNS).iterator(); ti.hasNext(); ) {
--- a/dspace-api/src/main/java/org/dspace/content/packager/PDFPackager.java
+++ b/dspace-api/src/main/java/org/dspace/content/packager/PDFPackager.java
@@ -19,11 +19,11 @@ import java.util.List;

 import org.apache.commons.lang3.ArrayUtils;
 import org.apache.logging.log4j.Logger;
+import org.apache.pdfbox.Loader;
 import org.apache.pdfbox.cos.COSDocument;
 import org.apache.pdfbox.io.MemoryUsageSetting;
-import org.apache.pdfbox.io.RandomAccessBufferedFileInputStream;
+import org.apache.pdfbox.io.RandomAccessReadBuffer;
 import org.apache.pdfbox.io.ScratchFile;
-import org.apache.pdfbox.pdfparser.PDFParser;
 import org.apache.pdfbox.pdmodel.PDDocument;
 import org.apache.pdfbox.pdmodel.PDDocumentInformation;
 import org.dspace.authorize.AuthorizeException;
@@ -78,10 +78,10 @@ public class PDFPackager

    protected static final String BITSTREAM_FORMAT_NAME = "Adobe PDF";

-    protected static String aliases[] = {"PDF", "Adobe PDF", "pdf", "application/pdf"};
+    protected static String[] aliases = {"PDF", "Adobe PDF", "pdf", "application/pdf"};

    public static String[] getPluginNames() {
-        return (String[]) ArrayUtils.clone(aliases);
+        return ArrayUtils.clone(aliases);
    }

    protected final BitstreamService bitstreamService = ContentServiceFactory.getInstance().getBitstreamService();
@@ -331,19 +331,24 @@ public class PDFPackager
        COSDocument cos = null;

        try {
-            ScratchFile scratchFile = null;
+            PDDocument document = null;
+
            try {
-                long useRAM = Runtime.getRuntime().freeMemory() * 80 / 100; // use up to 80% of JVM free memory
-                scratchFile = new ScratchFile(
-                    MemoryUsageSetting.setupMixed(useRAM)); // then fallback to temp file (unlimited size)
+                // Use up to 80% of JVM free memory and fall back to a temp file (unlimited size)
+                long useRAM = Runtime.getRuntime().freeMemory() * 80 / 100;
+                document = Loader.loadPDF(
+                        new RandomAccessReadBuffer(metadata),
+                        () -> new ScratchFile(MemoryUsageSetting.setupMixed(useRAM)));
            } catch (IOException ioe) {
                log.warn("Error initializing scratch file: " + ioe.getMessage());
            }

-            PDFParser parser = new PDFParser(new RandomAccessBufferedFileInputStream(metadata), scratchFile);
-            parser.parse();
-            cos = parser.getDocument();
+            // sanity check: loaded PDF document must not be null.
+            if (document == null) {
+                throw new MetadataValidationException("The provided stream could not be parsed into a PDF document.");
+            }

+            cos = document.getDocument();
            // sanity check: PDFBox breaks on encrypted documents, so give up.
            if (cos.getEncryptionDictionary() != null) {
                throw new MetadataValidationException("This packager cannot accept an encrypted PDF document.");
--- a/dspace-api/src/main/java/org/dspace/content/packager/PackageParameters.java
+++ b/dspace-api/src/main/java/org/dspace/content/packager/PackageParameters.java
@@ -52,7 +52,7 @@ public class PackageParameters extends Properties {
        Enumeration pe = request.getParameterNames();
        while (pe.hasMoreElements()) {
            String name = (String) pe.nextElement();
-            String v[] = request.getParameterValues(name);
+            String[] v = request.getParameterValues(name);
            if (v.length == 0) {
                result.setProperty(name, "");
            } else if (v.length == 1) {
--- a/dspace-api/src/main/java/org/dspace/content/packager/PackageUtils.java
+++ b/dspace-api/src/main/java/org/dspace/content/packager/PackageUtils.java
@@ -72,7 +72,7 @@ public class PackageUtils {
    // Map of metadata elements for Communities and Collections
    // Format is alternating key/value in a straight array; use this
    // to initialize hash tables that convert to and from.
-    protected static final String ccMetadataMap[] = {
+    protected static final String[] ccMetadataMap = {
        // getMetadata()  ->  DC element.term
        "name",                    "dc.title",
        "introductory_text",       "dc.description",
--- a/dspace-api/src/main/java/org/dspace/content/packager/RoleIngester.java
+++ b/dspace-api/src/main/java/org/dspace/content/packager/RoleIngester.java
@@ -21,6 +21,7 @@ import javax.xml.parsers.ParserConfigurationException;
 import org.apache.commons.codec.DecoderException;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.dspace.app.util.XMLUtils;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.content.Collection;
 import org.dspace.content.Community;
@@ -385,7 +386,7 @@ public class RoleIngester implements PackageIngester {
        Document document;

        try {
-            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+            DocumentBuilderFactory dbf = XMLUtils.getDocumentBuilderFactory();
            dbf.setIgnoringComments(true);
            dbf.setCoalescing(true);
            DocumentBuilder db = dbf.newDocumentBuilder();
@@ -419,7 +420,7 @@ public class RoleIngester implements PackageIngester {
        Document document;

        try {
-            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+            DocumentBuilderFactory dbf = XMLUtils.getDocumentBuilderFactory();
            dbf.setIgnoringComments(true);
            dbf.setCoalescing(true);
            DocumentBuilder db = dbf.newDocumentBuilder();
--- a/dspace-api/src/main/java/org/dspace/content/service/BitstreamService.java
+++ b/dspace-api/src/main/java/org/dspace/content/service/BitstreamService.java
@@ -169,7 +169,7 @@ public interface BitstreamService extends DSpaceObjectService<Bitstream>, DSpace
    /**
     * Determine if this bitstream is registered (available elsewhere on
     * filesystem than in assetstore). More about registered items:
-     * https://wiki.duraspace.org/display/DSDOC3x/Registering+(not+Importing)+Bitstreams+via+Simple+Archive+Format
+     * https://wiki.lyrasis.org/display/DSDOC3x/Registering+(not+Importing)+Bitstreams+via+Simple+Archive+Format
     *
     * @param bitstream DSpace bitstream
     * @return true if the bitstream is registered, false otherwise
--- a/dspace-api/src/main/java/org/dspace/content/service/BundleService.java
+++ b/dspace-api/src/main/java/org/dspace/content/service/BundleService.java
@@ -143,7 +143,7 @@ public interface BundleService extends DSpaceObjectService<Bundle>, DSpaceObject
     * @throws SQLException       when an SQL error has occurred (querying DSpace)
     * @throws AuthorizeException If the user can't make the changes
     */
-    public void setOrder(Context context, Bundle bundle, UUID bitstreamIds[]) throws AuthorizeException, SQLException;
+    public void setOrder(Context context, Bundle bundle, UUID[] bitstreamIds) throws AuthorizeException, SQLException;

    int countTotal(Context context) throws SQLException;
 }
--- a/dspace-api/src/main/java/org/dspace/content/service/DSpaceObjectService.java
+++ b/dspace-api/src/main/java/org/dspace/content/service/DSpaceObjectService.java
@@ -202,7 +202,7 @@ public interface DSpaceObjectService<T extends DSpaceObject> {
     * Get the value(s) of a metadata field.
     * @param dSpaceObject the object whose metadata are sought.
     * @param mdString the name of the field:  {@code schema.element.qualifier}.
-     * @param authority name of the authority which controls these values, or null.
+     * @param authority name of the authority which controls these values, or Item.ANY, or null.
     * @return all matching metadata values, or null if none.
     */
    public List<MetadataValue> getMetadata(T dSpaceObject, String mdString, String authority);
@@ -216,7 +216,7 @@ public interface DSpaceObjectService<T extends DSpaceObject> {
     * @param lang the language of the requested field value(s),
     *              null if explicitly no language,
     *              or {@link org.dspace.content.Item.ANY} to match all languages.
-     * @param authority name of the authority which controls these values, or null.
+     * @param authority name of the authority which controls these values, or Item.ANY, or null.
     * @return value(s) of the indicated field for the given DSO, or null.
     */
    public List<MetadataValue> getMetadata(T dSpaceObject, String schema,
--- a/dspace-api/src/main/java/org/dspace/contentreport/Filter.java
+++ b/dspace-api/src/main/java/org/dspace/contentreport/Filter.java
@@ -26,6 +26,7 @@ import org.dspace.authorize.service.AuthorizeService;
 import org.dspace.content.Bundle;
 import org.dspace.content.Item;
 import org.dspace.contentreport.ItemFilterUtil.BundleName;
+import org.dspace.core.Constants;
 import org.dspace.core.Context;
 import org.dspace.services.factory.DSpaceServicesFactory;

@@ -268,7 +269,7 @@ public enum Filter {
    HAS_LICENSE_DOCUMENTATION(FilterCategory.BUNDLE, (context, item) -> {
        List<String> names = ItemFilterUtil.getBitstreamNames(BundleName.LICENSE, item);
        return names.stream()
-                .anyMatch(name -> !name.equals("license.txt"));
+                .anyMatch(name -> !name.equals(Constants.LICENSE_BITSTREAM_NAME));
    }),

    /**
--- a/dspace-api/src/main/java/org/dspace/core/AbstractHibernateDAO.java
+++ b/dspace-api/src/main/java/org/dspace/core/AbstractHibernateDAO.java
@@ -468,6 +468,9 @@ public abstract class AbstractHibernateDAO<T> implements GenericDAO<T> {
        for (Map.Entry<String, Object> entry : equals.entrySet()) {
            criteria.where(criteriaBuilder.equal(root.get(entry.getKey()), entry.getValue()));
        }
+
+        criteria.orderBy(criteriaBuilder.asc(root.get("id")));
+
        return executeCriteriaQuery(context, criteria, cacheable, maxResults, offset);
    }

--- a/dspace-api/src/main/java/org/dspace/core/LegacyPluginServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/core/LegacyPluginServiceImpl.java
@@ -192,7 +192,7 @@ public class LegacyPluginServiceImpl implements PluginService {
            classname = sequenceConfig.get(iname);
        }

-        Object result[] = (Object[]) Array.newInstance(interfaceClass, classname.length);
+        Object[] result = (Object[]) Array.newInstance(interfaceClass, classname.length);
        for (int i = 0; i < classname.length; ++i) {
            log.debug("Adding Sequence plugin for interface= " + iname + ", class=" + classname[i]);
            result[i] = getAnonymousPlugin(classname[i]);
@@ -277,7 +277,7 @@ public class LegacyPluginServiceImpl implements PluginService {
                for (String classname : selfNamedVals) {
                    try {
                        Class pluginClass = Class.forName(classname, true, loader);
-                        String names[] = (String[]) pluginClass.getMethod("getPluginNames").
+                        String[] names = (String[]) pluginClass.getMethod("getPluginNames").
                            invoke(null);
                        if (names == null || names.length == 0) {
                            log.error(
@@ -302,7 +302,7 @@ public class LegacyPluginServiceImpl implements PluginService {
    }

    // add info for a named plugin to cache, under all its names.
-    private int installNamedConfigs(String iname, String classname, String names[])
+    private int installNamedConfigs(String iname, String classname, String[] names)
        throws ClassNotFoundException {
        int found = 0;
        for (int i = 0; i < names.length; ++i) {
--- a/dspace-api/src/main/java/org/dspace/core/Utils.java
+++ b/dspace-api/src/main/java/org/dspace/core/Utils.java
@@ -500,4 +500,5 @@ public final class Utils {
        return LocalDateTime.of(-4713, 11, 12, 0, 0, 0)
                .toInstant(ZoneOffset.UTC);
    }
+
 }
--- a/dspace-api/src/main/java/org/dspace/ctask/general/MetadataWebService.java
+++ b/dspace-api/src/main/java/org/dspace/ctask/general/MetadataWebService.java
@@ -37,6 +37,7 @@ import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.dspace.app.client.DSpaceHttpClientFactory;
+import org.dspace.app.util.XMLUtils;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.content.DSpaceObject;
 import org.dspace.content.Item;
@@ -176,7 +177,7 @@ public class MetadataWebService extends AbstractCurationTask implements Namespac
        fieldSeparator = (fldSep != null) ? fldSep : " ";
        urlTemplate = taskProperty("template");
        templateParam = urlTemplate.substring(urlTemplate.indexOf("{") + 1,
-                                              urlTemplate.indexOf("}"));
+                urlTemplate.indexOf("}"));
        String[] parsed = parseTransform(templateParam);
        lookupField = parsed[0];
        lookupTransform = parsed[1];
@@ -204,13 +205,9 @@ public class MetadataWebService extends AbstractCurationTask implements Namespac
            }
        }
        // initialize response document parser
-        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-        factory.setNamespaceAware(true);
        try {
-            // disallow DTD parsing to ensure no XXE attacks can occur
-            // See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
-            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-            factory.setXIncludeAware(false);
+            DocumentBuilderFactory factory = XMLUtils.getDocumentBuilderFactory();
+            factory.setNamespaceAware(true);
            docBuilder = factory.newDocumentBuilder();
        } catch (ParserConfigurationException pcE) {
            log.error("caught exception: " + pcE);
--- a/dspace-api/src/main/java/org/dspace/discovery/SolrSearchCore.java
+++ b/dspace-api/src/main/java/org/dspace/discovery/SolrSearchCore.java
@@ -88,9 +88,11 @@ public class SolrSearchCore {
                    solrServer.setBaseURL(solrService);
                    solrServer.setUseMultiPartPost(true);
                    // Dummy/test query to search for Item (type=2) of ID=1
-                    SolrQuery solrQuery = new SolrQuery()
-                        .setQuery(SearchUtils.RESOURCE_TYPE_FIELD + ":" + IndexableItem.TYPE +
-                                " AND " + SearchUtils.RESOURCE_ID_FIELD + ":1");
+                    SolrQuery solrQuery = new SolrQuery();
+                    solrQuery.setQuery("*:*");
+                    solrQuery.addFilterQuery(
+                            SearchUtils.RESOURCE_TYPE_FIELD + ":" + IndexableItem.TYPE,
+                            SearchUtils.RESOURCE_ID_FIELD + ":1");
                    // Only return obj identifier fields in result doc
                    solrQuery.setFields(SearchUtils.RESOURCE_TYPE_FIELD, SearchUtils.RESOURCE_ID_FIELD);
                    solrServer.query(solrQuery, REQUEST_METHOD);
--- a/dspace-api/src/main/java/org/dspace/discovery/SolrServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/discovery/SolrServiceImpl.java
@@ -71,6 +71,7 @@ import org.dspace.discovery.indexobject.IndexableCommunity;
 import org.dspace.discovery.indexobject.IndexableItem;
 import org.dspace.discovery.indexobject.factory.IndexFactory;
 import org.dspace.discovery.indexobject.factory.IndexObjectFactoryFactory;
+import org.dspace.discovery.indexobject.factory.ItemIndexFactory;
 import org.dspace.eperson.Group;
 import org.dspace.eperson.factory.EPersonServiceFactory;
 import org.dspace.eperson.service.GroupService;
@@ -340,6 +341,7 @@ public class SolrServiceImpl implements SearchService, IndexingService {
        try {
            final List<IndexFactory> indexableObjectServices = indexObjectServiceFactory.
                getIndexFactories();
+            int indexObject = 0;
            for (IndexFactory indexableObjectService : indexableObjectServices) {
                if (type == null || StringUtils.equals(indexableObjectService.getType(), type)) {
                    final Iterator<IndexableObject> indexableObjects = indexableObjectService.findAll(context);
@@ -347,6 +349,10 @@ public class SolrServiceImpl implements SearchService, IndexingService {
                        final IndexableObject indexableObject = indexableObjects.next();
                        indexContent(context, indexableObject, force);
                        context.uncacheEntity(indexableObject.getIndexedObject());
+                        indexObject++;
+                        if ((indexObject % 100) == 0 && indexableObjectService instanceof ItemIndexFactory) {
+                            context.uncacheEntities();
+                        }
                    }
                }
            }
@@ -786,16 +792,20 @@ public class SolrServiceImpl implements SearchService, IndexingService {

        solrQuery.setQuery(query);

-        // Add any search fields to our query. This is the limited list
-        // of fields that will be returned in the solr result
-        for (String fieldName : discoveryQuery.getSearchFields()) {
-            solrQuery.addField(fieldName);
+        if (discoveryQuery.getMaxResults() != 0) {
+            // set search fields in Solr query only if we are interested in the actual search results
+
+            // Add any search fields to our query. This is the limited list
+            // of fields that will be returned in the solr result
+            for (String fieldName : discoveryQuery.getSearchFields()) {
+                solrQuery.addField(fieldName);
+            }
+            // Also ensure a few key obj identifier fields are returned with every query
+            solrQuery.addField(SearchUtils.RESOURCE_TYPE_FIELD);
+            solrQuery.addField(SearchUtils.RESOURCE_ID_FIELD);
+            solrQuery.addField(SearchUtils.RESOURCE_UNIQUE_ID);
+            solrQuery.addField(STATUS_FIELD);
        }
-        // Also ensure a few key obj identifier fields are returned with every query
-        solrQuery.addField(SearchUtils.RESOURCE_TYPE_FIELD);
-        solrQuery.addField(SearchUtils.RESOURCE_ID_FIELD);
-        solrQuery.addField(SearchUtils.RESOURCE_UNIQUE_ID);
-        solrQuery.addField(STATUS_FIELD);

        if (discoveryQuery.isSpellCheck()) {
            solrQuery.setParam(SpellingParams.SPELLCHECK_Q, query);
--- a/dspace-api/src/main/java/org/dspace/disseminate/CitationDocumentServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/disseminate/CitationDocumentServiceImpl.java
@@ -20,6 +20,8 @@ import java.util.Set;
 import org.apache.commons.lang3.tuple.Pair;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.apache.pdfbox.Loader;
+import org.apache.pdfbox.io.RandomAccessReadBuffer;
 import org.apache.pdfbox.pdmodel.PDDocument;
 import org.apache.pdfbox.pdmodel.PDPage;
 import org.dspace.authorize.AuthorizeException;
@@ -124,7 +126,7 @@ public class CitationDocumentServiceImpl implements CitationDocumentService, Ini
        //Load enabled collections
        String[] citationEnabledCollections = configurationService
                .getArrayProperty("citation-page.enabled_collections");
-        citationEnabledCollectionsList = Arrays.asList(citationEnabledCollections);
+        citationEnabledCollectionsList = new ArrayList<String>(Arrays.asList(citationEnabledCollections));

        //Load enabled communities, and add to collection-list
        String[] citationEnabledCommunities = configurationService
@@ -264,7 +266,7 @@ public class CitationDocumentServiceImpl implements CitationDocumentService, Ini

    private PDDocument loadDocumentFromDB(Context context, Bitstream bitstream) {
        try (var inputStream = bitstreamService.retrieve(context, bitstream)) {
-            return PDDocument.load(inputStream);
+            return Loader.loadPDF(new RandomAccessReadBuffer(inputStream));
        } catch (IOException | SQLException | AuthorizeException e) {
            throw new RuntimeException(e);
        }
@@ -307,4 +309,4 @@ public class CitationDocumentServiceImpl implements CitationDocumentService, Ini
            }
        }
    }
-}
+}
--- a/dspace-api/src/main/java/org/dspace/disseminate/PdfGenerator.java
+++ b/dspace-api/src/main/java/org/dspace/disseminate/PdfGenerator.java
@@ -15,6 +15,7 @@ import java.io.OutputStream;
 import java.util.Map;
 import java.util.stream.Collectors;

+import org.apache.pdfbox.Loader;
 import org.apache.pdfbox.pdmodel.PDDocument;
 import org.thymeleaf.TemplateEngine;
 import org.thymeleaf.context.Context;
@@ -84,7 +85,7 @@ public class PdfGenerator {
    public PDDocument generate(String html) {
        try (var out = new ByteArrayOutputStream()) {
            generate(html, out);
-            return PDDocument.load(out.toByteArray());
+            return Loader.loadPDF(out.toByteArray());
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
--- a/dspace-api/src/main/java/org/dspace/embargo/DayTableEmbargoSetter.java
+++ b/dspace-api/src/main/java/org/dspace/embargo/DayTableEmbargoSetter.java
@@ -79,7 +79,7 @@ public class DayTableEmbargoSetter extends DefaultEmbargoSetter {
    private Properties getTermProperties() {
        Properties termProps = new Properties();

-        String terms[] = DSpaceServicesFactory.getInstance().getConfigurationService()
+        String[] terms = DSpaceServicesFactory.getInstance().getConfigurationService()
                                              .getArrayProperty("embargo.terms.days");

        if (terms != null) {
--- a/Show More
+++ b/Show More