chore: Update Jetty to 12.1.9 and jakarta-servlet-api to 6.1.0#104
Merged
Conversation
sidharth-jain23
changed the title
sidharth-jain23
changed the title
- Migrate Jetty module coordinates to EE10 variants for Jetty 12 compatibility: - jetty-servlet -> org.eclipse.jetty.ee10:jetty-ee10-servlet - jetty-servlets -> org.eclipse.jetty.ee10:jetty-ee10-servlets - jetty-server remains org.eclipse.jetty:jetty-server (core module) - Bump jakarta-servlet-api from 6.0.0 to 6.1.0 (required by Jetty 12.1 EE10) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
sidharth-jain23
force-pushed
the
jetty-upgrade
branch
from
eede3a0 to
3b5be85
Compare
aaron-steinfeld
previously approved these changes
May 14, 2026
The EE10 servlet modules (org.eclipse.jetty.ee10:*) are not managed by the core jetty-bom (org.eclipse.jetty:jetty-bom). Add the jetty-ee10-bom as a platform import and explicit versions to ensure resolution works. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
sidharth-jain23
changed the title
aaron-steinfeld
previously approved these changes
May 14, 2026
These deps pull in the old Jetty 11 coordinates (org.eclipse.jetty:jetty-servlet) which no longer resolve under Jetty 12. Will uncomment after publishing a new service-framework version built with EE10 coordinates. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
| api(libs.hypertrace.kafka.framework) | ||
| api(libs.hypertrace.integrationtest.framework) | ||
| api(libs.hypertrace.framework.documentstore.metrics) | ||
| // TODO: uncomment after publishing service-framework with Jetty 12 |
Contributor
There was a problem hiding this comment.
I didn't understand this
Contributor
Author
There was a problem hiding this comment.
test-consumer in this repo verifies dep resolution for hypertrace framework artifacts which right now pull in the old Jetty 11 coordinates (org.eclipse.jetty:jetty-servlet) which no longer resolve under Jetty 12 & hence build will fail..
once we upgrade jetty in hypertrace framework & publish the new version in this bom repo, we can uncomment these deps
Contributor
Author
There was a problem hiding this comment.
I thought of this as the best way to workaround this.. open to better suggestions
Contributor
There was a problem hiding this comment.
What we should have done here is update service framework first - basically this PR will break all existing repos without service framework upgrade and that's what the build was telling you.
Contributor
Author
There was a problem hiding this comment.
my bad!
updating service framework - hypertrace/service-framework#147
avinashkolluru
previously approved these changes
May 15, 2026
CVE-2026-42198 (pgjdbc DoS, CVSS 7.5): - Upgrade document-store from 0.8.6 to 0.9.45, which brings postgresql 42.7.11 (the fixed version). CVE-2026-41417 (Netty CRLF injection, CVSS 5.3): - Upgrade netty-bom from 4.1.132.Final to 4.1.133.Final (fixed version). - Added temporary OWASP suppression because the published hypertrace-bom (0.3.78) still imports netty-bom:4.1.132.Final, and transitive deps resolve against that published version rather than the local project. Temporary workarounds in this branch (to be removed in sequence): 1. Service-framework deps commented out in test-consumer — the published service-framework:0.1.93 still declares old Jetty 11 coordinates (org.eclipse.jetty:jetty-servlet) which don't exist in Jetty 12. 2. CVE-2026-41417 OWASP suppression — netty 4.1.132 comes transitively from the published hypertrace-bom:0.3.78. Resolution steps: 1. Publish this BOM as 0.3.79 (with Jetty 12 EE10 + Netty 4.1.133.Final) 2. Update service-framework to use BOM 0.3.79 catalog, publish new version 3. Bump service-framework version in this BOM, uncomment deps in test-consumer, and remove the OWASP suppression Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
avinashkolluru
approved these changes
May 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Upgrade Jetty from 11.0.26 to 12.1.9 to address security vulnerabilities in the older Jetty version. This also bumps jakarta-servlet-api from 6.0.0 to 6.1.0 as required by Jetty 12.1 EE10.
Jetty 12 restructured its module coordinates — servlet-related modules moved under the org.eclipse.jetty.ee10 group. This PR updates the BOM aliases accordingly:
Testing