Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump netty.version for vulnerability fixes #1755

Merged
merged 1 commit into from
Dec 21, 2020
Merged

Bump netty.version for vulnerability fixes #1755

merged 1 commit into from
Dec 21, 2020

Conversation

lukestephenson
Copy link
Contributor

Specifically because out vulnerability scanner is reporting https://app.snyk.io/vuln/SNYK-JAVA-IONETTY-1020439 which is fixed in this version.

@lukestephenson
Bump netty.version for vulnerability fixes
3380ad9 
Specifically because out vulnerability scanner is reporting https://app.snyk.io/vuln/SNYK-JAVA-IONETTY-1020439 which is fixed in this version.
@TomGranot
Copy link
Contributor

@lukestephenson Thanks for the heads up!

I'm seeing failure in GitHub Actions but not in Travis, but hadn't looked too deep into it yet - will do so over the weekend. Please ping if I forget!

@LautaroPetaccio
Copy link

Hi @TomGranot would be so kind to take a look at this? We're having the same issue with the vulnerability being reported. Thank you very much!

@TomGranot
Copy link
Contributor

TomGranot commented Dec 21, 2020
edited
Loading

@lukestephenson & @LautaroPetaccio it warms the heart to see folks still relying on this library, and taking the time to point vulns upstream! Thanks for this. New maintainer of this lib, and I'm slowly cleaning it up, gearing for a new release. Always fun to come home to activity (or, still fun to come home to activity? :) Check back with me in a year ).

The tests failing are (I think) mostly due to timeouts since the GA agents are notoriously tiny. I'm going to try and bump locally then run the tests just as a sanity check (even beyond Travis) - see what gives. Give me a few.

Edit: Flies in my book. Merging.

@TomGranot TomGranot merged commit 2658825 into AsyncHttpClient:master Dec 21, 2020
@LautaroPetaccio
Copy link

Hi again @TomGranot ! Thanks for taking time to fix this vulnerability.
It seems that the CI processes failed in master and the package was not deployed. Do we need to fix the tests to deploy it?

@TomGranot
Copy link
Contributor

@LautaroPetaccio I think there might have been a misunderstanding here - in order to merge and deploy to the main maven central organization I'd have to create a new release, which is something I'm still in the process of doing (there hasn't been one since April). There have been a few changes since the last release and I'd like to properly review them and write up a nice changelist before pushing out a new release. Also, I'm still finalizing the new CI flows (since Travis-CI changed their OSS support), and I'd like to have that done first.

Life of a maintainer, I guess? :)

Please feel free to ping me as much as you want to fix this, though, and I shall as soon as I get to it.

@TomGranot
Copy link
Contributor

@LautaroPetaccio @lukestephenson Apologies for the delay on this. Just reaching out to say I ended up manually releasing a version with the bump and a bunch of other things.

See here:

https://search.maven.org/artifact/org.asynchttpclient/async-http-client/2.12.2/jar

@TomGranot TomGranot mentioned this pull request Jan 4, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lukestephenson @TomGranot @LautaroPetaccio