Skip to content

Upgrades commons libraries to fix security vulnerabilities #219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
NicoPiel wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Upgrades commons libraries to fix security vulnerabilities #219

NicoPiel wants to merge 5 commits into from

Conversation

@NicoPiel
Copy link
Contributor

@NicoPiel NicoPiel commented Dec 5, 2025
edited
Loading

Updates several Apache Commons dependencies across modules to newer patch releases to fix security vulnerabilities.

Fixes #218

Notably upgrades
commons-lang3 (3.13.0 → 3.18.0),
commons-beanutils (1.9.4 → 1.11.0) and
commons-configuration2 (2.8.0 → 2.10.1), replacing old JARs with the updated artifacts.

@NicoPiel
Upgrades commons libraries
c25905c 
Updates several Apache Commons dependencies across modules to newer patch releases to fix security vulnerabilities.

Fixes OpenIntegrationEngine#218

Notably upgrades commons-lang3 (3.13.0 → 3.18.0), commons-beanutils (1.9.4 → 1.11.0) and commons-configuration2 (2.8.0 → 2.10.1), replacing old JARs with the updated artifacts.

Signed-off-by: Nico Piel <nico.piel@hotmail.de>
tonygermano
tonygermano requested changes Dec 5, 2025
View reviewed changes
Copy link
Member

@tonygermano tonygermano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are references that need to be updated in /server/build.xml and /manager/ant-build.xml. Some of these libraries get added to the manifests of the launcher jars. I'm less concerned about /manager since we don't ship that, and it's probably going to be rewritten at some point, but since you are already updating the jars, you should probably update the build file to match.

Also, the /generator project should probably be kept up to date. That doesn't run on every build, but it is what creates https://github.com/OpenIntegrationEngine/engine/blob/main/server/lib/mirth-vocab.jar

I'd want to see the results of some people testing these changes and check if there are any documented compatibility issues with newer versions before we merge.

@NicoPiel
Bumps bundled dependency versions in manifests
aa637d2 
Updates several bundled library versions referenced in application manifests to newer releases

Signed-off-by: Nico Piel <nico.piel@hotmail.de>
@NicoPiel
Bumps commons in generator
d86b26b 
Bumps the Commons Lang library

Signed-off-by: Nico Piel <nico.piel@hotmail.de>
@NicoPiel
Copy link
Contributor Author

NicoPiel commented Dec 5, 2025
edited
Loading

There are references that need to be updated in /server/build.xml and /manager/ant-build.xml.

Done!

Also, the /generator project should probably be kept up to date.

Also Done!

mgaffigan
mgaffigan requested changes Dec 5, 2025
View reviewed changes
Copy link
Contributor

@mgaffigan mgaffigan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Old versions referenced in:

  • donkey/.classpath
  • donkey/lib/commons/commons-beanutils-1.9.4.jar
  • donkey/lib/commons/commons-lang3-3.13.0.jar
  • command/.classpath

@NicoPiel
Updates commons libraries to newer versions (donkey/cli)
0b39e6a 
Bumps several third-party Commons libraries to newer releases

Signed-off-by: Nico Piel <nico.piel@hotmail.de>
@NicoPiel
Re-added beanutils to CLI
b2d6f57 
Signed-off-by: Nico Piel <nico.piel@hotmail.de>
@mgaffigan
Copy link
Contributor

mgaffigan commented Dec 7, 2025

Are there libraries we ship that are depending on the three that are updated in this PR? Can we get those up to date at the same time? Approving regardless, since I don't see a downside to shipping as is.

@tonygermano tonygermano requested review from a team, jonbartels, kayyagari, ssrowe and tonygermano and removed request for a team December 8, 2025 04:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mgaffigan mgaffigan mgaffigan approved these changes

@kayyagari kayyagari Awaiting requested review from kayyagari kayyagari was automatically assigned from OpenIntegrationEngine/maintainers

@ssrowe ssrowe Awaiting requested review from ssrowe ssrowe was automatically assigned from OpenIntegrationEngine/maintainers

@jonbartels jonbartels Awaiting requested review from jonbartels jonbartels was automatically assigned from OpenIntegrationEngine/maintainers

@tonygermano tonygermano Awaiting requested review from tonygermano tonygermano was automatically assigned from OpenIntegrationEngine/maintainers

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[SECURITY] Vulnerability in Apache Commons Libraries

3 participants

@NicoPiel @mgaffigan @tonygermano