Skip to content

[Backport release-1.17] fix: upgrade dependencies to address critical CVEs#1708

Merged
javier-aliaga merged 1 commit intorelease-1.17from
backport-1706-to-release-1.17
Mar 31, 2026
Merged

[Backport release-1.17] fix: upgrade dependencies to address critical CVEs#1708
javier-aliaga merged 1 commit intorelease-1.17from
backport-1706-to-release-1.17

Conversation

@dapr-bot
Copy link
Copy Markdown
Collaborator

@dapr-bot dapr-bot commented Mar 31, 2026

Backport d6b25cb from #1706.

@javier-aliaga @github-actions
fix: upgrade dependencies to address critical CVEs (#1706)
33f30b6 
* fix: upgrade dependencies to address critical CVEs

Upgrade jackson-bom 2.16.2 → 2.18.6 (CVE-2025-52999, CVSS 8.7 DoS),
add netty-bom 4.1.132.Final (CVE-2026-33871 CVSS 8.7, CVE-2026-33870
CVSS 7.5), and bump Spring Boot 3.4.9 → 3.4.10 which pulls Tomcat
10.1.46 (CVE-2025-55754 CVSS 9.6, CVE-2025-55752 CVSS 7.5).

Reorder BOM imports so netty-bom and jackson-bom take precedence over
Spring Boot's managed versions. Align springframework.version 6.2.11
with Spring Boot 3.4.10.

Signed-off-by: Javier Aliaga <javier@diagrid.io>

* chore: add TODO to remove netty-bom once gRPC bundles >= 4.1.132

Signed-off-by: Javier Aliaga <javier@diagrid.io>

* fix: upgrade Spring Boot 4.0.2 to 4.0.5 to fix jackson-core 3.0.4 (GHSA-72hv-8253-57qq)

Spring Boot 4.0.4+ ships with jackson 3.1.0, fixing the async JSON
parser DoS vulnerability in jackson-core 3.0.4. Upgrade all 6 modules
that pin springboot4.version from 4.0.2 to 4.0.5 (latest patch).

No jackson-bom override needed — Spring Boot 4.0.5 manages it natively.

Signed-off-by: Javier Aliaga <javier@diagrid.io>

---------

Signed-off-by: Javier Aliaga <javier@diagrid.io>
(cherry picked from commit d6b25cb)
@dapr-bot dapr-bot requested review from a team as code owners March 31, 2026 13:32
@javier-aliaga javier-aliaga merged commit 09230ae into release-1.17 Mar 31, 2026
12 of 13 checks passed
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 31, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.53%. Comparing base (501ed50) to head (33f30b6).
⚠️ Report is 1 commits behind head on release-1.17.

Additional details and impacted files 
@@                Coverage Diff                 @@
##             release-1.17    #1708      +/-   ##
==================================================
+ Coverage           79.51%   79.53%   +0.01%     
+ Complexity           2194     2193       -1     
==================================================
  Files                 237      237              
  Lines                6577     6577              
  Branches              730      730              
==================================================
+ Hits                 5230     5231       +1     
+ Misses                992      990       -2     
- Partials              355      356       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cicoyle cicoyle cicoyle approved these changes

Assignees

No one assigned

Labels

auto-merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dapr-bot @cicoyle @javier-aliaga