Update FileUpload dependency to 2.0.0-M5

[miguno]

Thanks for your continued work on ring!

This PR updates org.apache.commons/commons-fileupload2-core to 2.0.0-M5 from Feb 17, 2026 to address a CVE in 2.0.0-M4.

Background: The currently used version 2.0.0-M4 of org.apache.commons/commons-fileupload2-core is, via its own dependencies, vulnerable to CVE-2025-48924 (StackOverflowError on very long inputs).

References:

• https://mvnrepository.com/artifact/org.apache.commons/commons-fileupload2/2.0.0-M4 (lists the vulnerability)

[weavejester]

It appears as if the API for setFileSizeMax has been changed between M4 and M5.

[weavejester]

It looks like setFileSizeMax is now setMaxFileSize.

[miguno]

Updated the PR. Both lein test and lein test-all pass for me locally.

[weavejester]

This also looks good! Can you squash down your commits into one? You can use your original commit message.

[miguno]

Squashing done!

[weavejester]

I don't think we need the second line of the commit message, since it's part of the update to 2.0.0-M5. So could you change the commit message to:

Update FileUpload dependency to 2.0.0-M5

This also ensures the commit message adheres to the contributing guidelines.

[miguno]

Done!

[weavejester]

Merged, thanks! When the other PR is merged, I'll cut a new patch release.