Use the Spring dependency management plugin instead of hardcoding. This allows us to stop hard-coding version numbers in many locations.

Also upgrade Spring, Spring-Boot, and Spring-Security to the latest 6.1.x, 3.3.x, and 6.3.x respectively. A full upgrade would be to 6.2, 3.4, and 6.4, but this would be nontrivial.

Tested locally by running Local UI and API.

PR checklist

• I have included an issue ID or "no ticket" in the PR title as outlined in CONTRIBUTING.md.
• I have included a risk tag of the form [risk=no|low|moderate|severe] in the PR title as outlined in CONTRIBUTING.md.
• I have manually tested this change and my testing process is described above.
• This change includes appropriate automated tests, and I have documented any behavior that cannot be tested with code.
• I have added explanatory comments where the logic is not obvious.
• One or more of the following is true:
  • This change is intended to complete a JIRA story, so I have checked that all AC are met for that story.
  • This change fixes a bug, so I have ensured the steps to reproduce are in the Jira ticket or provided above.
  • This change impacts deployment safety (e.g. removing/altering APIs which are in use), so I have documented the impacts in the description.
  • This change includes a new feature flag, so I have created and linked new JIRA tickets to (a) turn on the feature flag and (b) remove it later.
  • This change modifies the UI, so I have taken screenshots or recordings of the new behavior and notified the PO and UX designer in Slack.
  • This change modifies API behavior, so I have run the relevant E2E tests locally because API changes are not covered by our PR checks.
  • None of the above apply to this change.