Sysdig Vulnerability Urgent/Critical-Need your help

[ayanvastav-debug]

Hi Node-Java Team,

I am currently using the Node-Java library in my Node.js application. During a deployment scan using Sysdig, a vulnerability was flagged due to the version of apache.commons:commons-lang3 included as a dependency.

To comply with Sysdig security standards, I need to ensure that apache.commons:commons-lang3 is upgraded to version 3.18.0, as the currently bundled version contains known vulnerabilities (refer to the attached screenshot).

If anyone has previously encountered this issue and found a workaround or method to manually override or patch the dependency, I would greatly appreciate it if you could share the details.

Otherwise, I kindly request the following actions:

Upgrade the apache.commons:commons-lang3 dependency to version 3.18.0

Publish a new version of the Node-Java library that includes this update

This upgrade is critical for proceeding with my secure deployment pipeline. Please let me know if you need any additional details from my end or if there is an alternative approach I can follow to resolve this issue.

Thank you for your support.

[joeferner]

#619

[joeferner]

Published v0.16.2, hopefully that addresses the issue for now.

[ayanvastav-debug]

Hi Joeferner, I hope you're doing well. I wanted to bring to your attention that the current version of the Common-Lang library being used is 3.5. Unfortunately, this version is known to have vulnerabilities that could pose security risks. The only version of Common-Lang that is considered secure and free of these vulnerabilities is 3.18.0. Therefore, I kindly request that you upgrade the Common-Lang library from version 3.5 to version 3.18.0 at your earliest convenience. Please let us know the estimated time of completion for this upgrade so we can coordinate accordingly. If you need any assistance or further information regarding this update, feel free to reach out.

…

On Thu, Aug 14, 2025, 3:40 PM Joe Ferner ***@***.***> wrote: Closed #616 <#616> as completed. — Reply to this email directly, view it on GitHub <#616 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BVEHM2JGNUVEFAKTJFBNQT33NROCBAVCNFSM6AAAAACCMEFRUGVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJZGE2TMMRQHEYTMNY> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[ayanvastav-debug]

***@***.*** ***@***.***>

…

On Thu, Aug 21, 2025, 3:46 PM AYAN VASTAV ***@***.***> wrote: Hi Joeferner, I hope you're doing well. I wanted to bring to your attention that the current version of the Common-Lang library being used is 3.5. Unfortunately, this version is known to have vulnerabilities that could pose security risks. The only version of Common-Lang that is considered secure and free of these vulnerabilities is 3.18.0. Therefore, I kindly request that you upgrade the Common-Lang library from version 3.5 to version 3.18.0 at your earliest convenience. Please let us know the estimated time of completion for this upgrade so we can coordinate accordingly. If you need any assistance or further information regarding this update, feel free to reach out. On Thu, Aug 14, 2025, 3:40 PM Joe Ferner ***@***.***> wrote: > Closed #616 <#616> as > completed. > > — > Reply to this email directly, view it on GitHub > <#616 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/BVEHM2JGNUVEFAKTJFBNQT33NROCBAVCNFSM6AAAAACCMEFRUGVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJZGE2TMMRQHEYTMNY> > . > You are receiving this because you authored the thread.Message ID: > ***@***.***> >

[joeferner]

Until apache/commons-lang#1427 gets merged and versioned I can't fully update commons-lang because of a regression in commons-langs.

[garydgregory]

What regression?

[joeferner]

These tests https://github.com/joeferner/node-java/blob/master/test/varargs.test.ts#L25-L36 which used commons-lang3 version ~3.3 fail with commons-lang3 newer than 3.5. I Traced it back to this commit apache/commons-lang@1a20867

The above commit fails in two ways. Passing no varargs to a method which accepts varargs does not work:

public void myMethod(String... args) {
  ...
}

myMethod(); // fails to find method

And non-matching numbers passed to varargs methods do not get autoboxed:

public void myMethod(float... args) {
  ...
}

myMethod(1, 2); // fails to find method

I would imagine other scenarios also fail when class hierarchies and interface implementations also get more complex because the code is relying on super type checking as opposed to assignability checks.