Skip to content

Commit d6b25cb

Browse files
javier-aliagajavier-aliaga
authored
fix: upgrade dependencies to address critical CVEs (#1706)
* fix: upgrade dependencies to address critical CVEs Upgrade jackson-bom 2.16.2 → 2.18.6 (CVE-2025-52999, CVSS 8.7 DoS), add netty-bom 4.1.132.Final (CVE-2026-33871 CVSS 8.7, CVE-2026-33870 CVSS 7.5), and bump Spring Boot 3.4.9 → 3.4.10 which pulls Tomcat 10.1.46 (CVE-2025-55754 CVSS 9.6, CVE-2025-55752 CVSS 7.5). Reorder BOM imports so netty-bom and jackson-bom take precedence over Spring Boot's managed versions. Align springframework.version 6.2.11 with Spring Boot 3.4.10. Signed-off-by: Javier Aliaga <javier@diagrid.io> * chore: add TODO to remove netty-bom once gRPC bundles >= 4.1.132 Signed-off-by: Javier Aliaga <javier@diagrid.io> * fix: upgrade Spring Boot 4.0.2 to 4.0.5 to fix jackson-core 3.0.4 (GHSA-72hv-8253-57qq) Spring Boot 4.0.4+ ships with jackson 3.1.0, fixing the async JSON parser DoS vulnerability in jackson-core 3.0.4. Upgrade all 6 modules that pin springboot4.version from 4.0.2 to 4.0.5 (latest patch). No jackson-bom override needed — Spring Boot 4.0.5 manages it natively. Signed-off-by: Javier Aliaga <javier@diagrid.io> --------- Signed-off-by: Javier Aliaga <javier@diagrid.io>
1 parent 12d8c7a commit d6b25cb

7 files changed

Lines changed: 30 additions & 21 deletions

File tree

dapr-spring/dapr-spring-6-data/pom.xml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,8 +17,8 @@
1717
<packaging>jar</packaging>
1818

1919
<properties>
20-
<springboot4.version>4.0.2</springboot4.version>
21-
<!-- Override JUnit version to align with Spring Boot 4.0.2 -->
20+
<springboot4.version>4.0.5</springboot4.version>
21+
<!-- Override JUnit version to align with Spring Boot 4.x -->
2222
<junit-bom.version>6.0.2</junit-bom.version>
2323
</properties>
2424

dapr-spring/dapr-spring-boot-4-autoconfigure/pom.xml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,8 +16,8 @@
1616
<packaging>jar</packaging>
1717

1818
<properties>
19-
<springboot4.version>4.0.2</springboot4.version>
20-
<!-- Override JUnit version to align with Spring Boot 4.0.2 -->
19+
<springboot4.version>4.0.5</springboot4.version>
20+
<!-- Override JUnit version to align with Spring Boot 4.0.x -->
2121
<junit-bom.version>6.0.2</junit-bom.version>
2222
</properties>
2323

dapr-spring/dapr-spring-boot-starters/dapr-spring-boot-4-starter-test/pom.xml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,8 +16,8 @@
1616
<packaging>jar</packaging>
1717

1818
<properties>
19-
<springboot4.version>4.0.2</springboot4.version>
20-
<!-- Override JUnit version to align with Spring Boot 4.0.2 -->
19+
<springboot4.version>4.0.5</springboot4.version>
20+
<!-- Override JUnit version to align with Spring Boot 4.x -->
2121
<junit-bom.version>6.0.2</junit-bom.version>
2222
</properties>
2323
<dependencyManagement>

dapr-spring/dapr-spring-boot-starters/dapr-spring-boot-4-starter/pom.xml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,8 +16,8 @@
1616
<packaging>jar</packaging>
1717

1818
<properties>
19-
<springboot4.version>4.0.2</springboot4.version>
20-
<!-- Override JUnit version to align with Spring Boot 4.0.2 -->
19+
<springboot4.version>4.0.5</springboot4.version>
20+
<!-- Override JUnit version to align with Spring Boot 4.x -->
2121
<junit-bom.version>6.0.2</junit-bom.version>
2222
</properties>
2323

pom.xml

Lines changed: 18 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@
4242
<maven.compiler.target>11</maven.compiler.target>
4343
<maven.compiler.release>11</maven.compiler.release>
4444
<maven.deploy.skip>true</maven.deploy.skip>
45-
<jackson.version>2.16.2</jackson.version>
45+
<jackson.version>2.18.6</jackson.version>
4646
<gpg.skip>true</gpg.skip>
4747
<spotbugs.fail>true</spotbugs.fail>
4848
<spotbugs.exclude.filter.file>${maven.multiModuleProjectDirectory}/spotbugs-exclude.xml</spotbugs.exclude.filter.file>
@@ -53,8 +53,8 @@
5353
<snakeyaml.version>2.0</snakeyaml.version>
5454
<testcontainers.version>1.21.4</testcontainers.version>
5555
<!-- Do NOT UPGRADE spring.version without checking springboot.version alignment -->
56-
<springboot.version>3.4.9</springboot.version>
57-
<springframework.version>6.2.7</springframework.version>
56+
<springboot.version>3.4.10</springboot.version>
57+
<springframework.version>6.2.11</springframework.version>
5858
<!-- Do NOT UPGRADE springframework.version without checking springboot.version alignment -->
5959
<nexus-staging-maven-plugin.version>1.7.0</nexus-staging-maven-plugin.version>
6060
<assertj.version>3.27.7</assertj.version>
@@ -82,6 +82,8 @@
8282
<opentelemetry-bom.version>2.1.0</opentelemetry-bom.version>
8383
<kotlin.version>2.1.0</kotlin.version>
8484
<rest-assured.version>5.5.1</rest-assured.version>
85+
<!-- TODO: Remove netty-bom override once gRPC ships with Netty >= 4.1.132 (CVE-2026-33871, CVE-2026-33870) -->
86+
<netty.version>4.1.132.Final</netty.version>
8587
</properties>
8688

8789
<distributionManagement>
@@ -106,16 +108,16 @@
106108
<!-- BOMs - Import first to establish baseline dependency versions -->
107109
<!-- ====================================================================== -->
108110
<dependency>
109-
<groupId>io.grpc</groupId>
110-
<artifactId>grpc-bom</artifactId>
111-
<version>${grpc.version}</version>
111+
<groupId>io.netty</groupId>
112+
<artifactId>netty-bom</artifactId>
113+
<version>${netty.version}</version>
112114
<type>pom</type>
113115
<scope>import</scope>
114116
</dependency>
115117
<dependency>
116-
<groupId>org.springframework.boot</groupId>
117-
<artifactId>spring-boot-dependencies</artifactId>
118-
<version>${springboot.version}</version>
118+
<groupId>io.grpc</groupId>
119+
<artifactId>grpc-bom</artifactId>
120+
<version>${grpc.version}</version>
119121
<type>pom</type>
120122
<scope>import</scope>
121123
</dependency>
@@ -126,6 +128,13 @@
126128
<type>pom</type>
127129
<scope>import</scope>
128130
</dependency>
131+
<dependency>
132+
<groupId>org.springframework.boot</groupId>
133+
<artifactId>spring-boot-dependencies</artifactId>
134+
<version>${springboot.version}</version>
135+
<type>pom</type>
136+
<scope>import</scope>
137+
</dependency>
129138
<dependency>
130139
<groupId>org.junit</groupId>
131140
<artifactId>junit-bom</artifactId>

spring-boot-4-examples/pom.xml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,8 +15,8 @@
1515

1616
<properties>
1717
<maven.deploy.skip>true</maven.deploy.skip>
18-
<springboot4.version>4.0.2</springboot4.version>
19-
<!-- Override JUnit version to align with Spring Boot 4.0.2 -->
18+
<springboot4.version>4.0.5</springboot4.version>
19+
<!-- Override JUnit version to align with Spring Boot 4.x -->
2020
<junit-bom.version>6.0.2</junit-bom.version>
2121
</properties>
2222

spring-boot-4-sdk-tests/pom.xml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,8 +19,8 @@
1919
<maven.deploy.skip>true</maven.deploy.skip>
2020
<protobuf.output.directory>${project.build.directory}/generated-sources</protobuf.output.directory>
2121
<protobuf.input.directory>${project.basedir}/proto</protobuf.input.directory>
22-
<springboot4.version>4.0.2</springboot4.version>
23-
<!-- Override JUnit version to align with Spring Boot 4.0.2 -->
22+
<springboot4.version>4.0.5</springboot4.version>
23+
<!-- Override JUnit version to align with Spring Boot 4.x -->
2424
<junit-bom.version>6.0.2</junit-bom.version>
2525
<!-- The JaCoCo plugin was expecting coverage for this module, but since it's a test module
2626
and code coverage typically doesn't apply to tests, the coverage is set to 0. -->

0 commit comments

Comments
 (0)