Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Mend: high confidence minor and patch dependency updates #3

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update Mend: high confidence minor and patch dependency updates #3

wants to merge 1 commit into from

Conversation

mend-for-github-com[bot]
Copy link

@mend-for-github-com mend-for-github-com bot commented Oct 26, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
net.sf.ehcache:ehcache (source) 2.10.4 -> 2.10.9.2 age adoption passing confidence
commons-io:commons-io (source) 2.5 -> 2.18.0 age adoption passing confidence
net.minidev:json-smart (source) 2.5.1 -> 2.5.2 age adoption passing confidence
com.nimbusds:nimbus-jose-jwt 9.37.3 -> 9.48 age adoption passing confidence
org.slf4j:slf4j-api (source, changelog) 1.7.25 -> 1.7.36 age adoption passing confidence
com.google.guava:guava 32.0.1-jre -> 32.1.3-jre age adoption passing confidence
com.google.protobuf:protobuf-java (source) 4.27.0 -> 4.29.3 age adoption passing confidence
com.google.crypto.tink:tink 1.14.0 -> 1.16.0 age adoption passing confidence
org.ow2.asm:asm (source) 9.3 -> 9.7.1 age adoption passing confidence
javax.xml.bind:jaxb-api 2.2.2 -> 2.3.1 age adoption passing confidence
net.minidev:json-smart (source) 2.5.0 -> 2.5.2 age adoption passing confidence
org.jsoup:jsoup (source) 1.13.1 -> 1.18.3 age adoption passing confidence
com.github.javaparser:javaparser-core (source) 3.18.0 -> 3.26.3 age adoption passing confidence
io.dropwizard.metrics:metrics-core (source) 4.1.4 -> 4.2.30 age adoption passing confidence
commons-cli:commons-cli (source) 1.2 -> 1.9.0 age adoption passing confidence
org.xmlunit:xmlunit-core (source) 2.8.2 -> 2.10.0 age adoption passing confidence
com.github.tomakehurst:wiremock-jre8-standalone (source) 2.23.2 -> 2.35.2 age adoption passing confidence
io.projectreactor:reactor-core 3.4.38 -> 3.7.3 age adoption passing confidence
org.yaml:snakeyaml 2.0 -> 2.4 age adoption passing confidence
org.reflections:reflections 0.9.12 -> 0.10.2 age adoption passing confidence
org.apache.maven:maven-model 3.6.2 -> 3.9.9 age adoption passing confidence
com.google.auth:google-auth-library-oauth2-http 1.11.0 -> 1.32.1 age adoption passing confidence
org.junit.platform:junit-platform-launcher (source) 1.8.1 -> 1.11.4 age adoption passing confidence
com.unboundid:unboundid-ldapsdk 6.0.3 -> 6.0.11 age adoption passing confidence
org.apache.commons:commons-lang3 (source) 3.11 -> 3.17.0 age adoption passing confidence
com.google.api.grpc:proto-google-common-protos 2.9.6 -> 2.52.0 age adoption passing confidence
commons-io:commons-io (source) 2.8.0 -> 2.18.0 age adoption passing confidence
com.sun.xml.bind:jaxb-impl (source) 2.2.3-1 -> 2.3.9 age adoption passing confidence
net.java.dev.jna:jna 5.10.0 -> 5.16.0 age adoption passing confidence
org.threeten:threetenbp (source) 1.6.5 -> 1.7.0 age adoption passing confidence
javax.mail:mail (source) 1.4.5 -> 1.4.7 age adoption passing confidence
com.microsoft.azure:msal4j 1.16.2 -> 1.19.0 age adoption passing confidence
com.azure:azure-storage-blob 12.27.1 -> 12.29.0 age adoption passing confidence
org.junit.jupiter:junit-jupiter (source) 5.8.1 -> 5.11.4 age adoption passing confidence
org.skyscreamer:jsonassert 1.5.0 -> 1.5.3 age adoption passing confidence
com.maxmind.geoip2:geoip2 (source) 4.2.0 -> 4.2.1 age adoption passing confidence
org.ow2.asm:asm-tree (source) 9.7 -> 9.7.1 age adoption passing confidence
org.ow2.asm:asm (source) 9.7 -> 9.7.1 age adoption passing confidence
gradle.plugin.org.jetbrains.gradle.plugin.idea-ext:gradle-idea-ext 1.1.4 -> 1.1.10 age adoption passing confidence
com.github.spullara.mustache.java:compiler 0.9.10 -> 0.9.14 age adoption passing confidence
org.apache.httpcomponents:httpcore 4.4.12 -> 4.4.16 age adoption passing confidence
commons-io:commons-io (source) 2.15.1 -> 2.18.0 age adoption passing confidence
org.apache.commons:commons-compress (source) 1.26.1 -> 1.27.1 age adoption passing confidence
org.fusesource.jansi:jansi (source) 2.4.0 -> 2.4.1 age adoption passing confidence
org.checkerframework:checker-qual (source) 3.42.0 -> 3.49.0 age adoption passing confidence
commons-io:commons-io (source) 2.2 -> 2.18.0 age adoption passing confidence
com.fasterxml.jackson.core:jackson-core 2.17.2 -> 2.18.2 age adoption passing confidence
commons-codec:commons-codec (source) 1.11 -> 1.18.0 age adoption passing confidence
io.opentelemetry:opentelemetry-api 1.31.0 -> 1.47.0 age adoption passing confidence
org.apache.ant:ant (source) 1.10.12 -> 1.10.15 age adoption passing confidence
org.junit.vintage:junit-vintage-engine (source) 5.8.1 -> 5.11.4 age adoption passing confidence
org.junit:junit-bom (source) 5.8.1 -> 5.11.4 age adoption passing confidence
com.fasterxml.jackson:jackson-bom 2.15.0 -> 2.18.2 age adoption passing confidence
com.fasterxml.jackson.core:jackson-databind (source) 2.15.0 -> 2.18.2 age adoption passing confidence
com.fasterxml.jackson.core:jackson-core 2.15.0 -> 2.18.2 age adoption passing confidence
org.ow2.asm:asm-tree (source) 9.6 -> 9.7.1 age adoption passing confidence
org.ow2.asm:asm (source) 9.6 -> 9.7.1 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

netplex/json-smart-v2 (net.minidev:json-smart)

v2.5.2

Compare Source

About CVE-2024-57699

Thanks for @​ccudennec-otto Some remarks on the CVE, more discussions in #​236

  • as mentioned here it is quite unlikely that the vulnerability is exploited if you come here because of Spring Security / com.nimbusds:oauth2-oidc-sdk
  • the code changes for the upcoming release will "only" fix the default modes provided by JSONParser, e.g. MODE_RFC4627
  • if you create the JSONParser manually / with custom options, make sure you set option LIMIT_JSON_DEPTH
    • since that's what "connect2id" is doing in their library, they were responsible for fixing it. They've already provided a new 11.x release that fixes the JSONParser setup on their side, i.e. you rather need their fixed version and not version 2.5.2 of json-smart
    • as stated here, they would also need to backport the fix to the versions that Spring Security needs IMHO

What's Changed

New Contributors

Full Changelog: netplex/json-smart-v2@2.5.1...2.5.2

connect2id/nimbus-jose-jwt (com.nimbusds:nimbus-jose-jwt)

[v9.48](https://bitbucket.org/connect2id/nimbus-jose-jwt/branches

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

disabled

@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 7 times, most recently from fbf055a to 347c42c Compare November 2, 2024 11:07
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 5 times, most recently from 6971a47 to 37f3bfe Compare November 9, 2024 10:31
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 6 times, most recently from 07554c6 to 26092e3 Compare November 19, 2024 16:40
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 7 times, most recently from 2fe002e to d98a7c8 Compare November 29, 2024 08:39
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 5 times, most recently from bc4f4f9 to 659e29b Compare December 4, 2024 07:12
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 7 times, most recently from c6c4fcb to 13da243 Compare January 26, 2025 14:16
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 7 times, most recently from 318d8f2 to 22d4c7b Compare February 2, 2025 09:53
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 6 times, most recently from c0cb65d to 80b8b56 Compare February 9, 2025 12:51
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch 7 times, most recently from 552f908 to 3911194 Compare February 16, 2025 14:33
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch from 3911194 to a8a9b83 Compare February 18, 2025 21:08
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch from a8a9b83 to ae5ebf1 Compare February 20, 2025 07:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants