Skip to content

Bump jersey to latest 2.x and 3.x versions #3307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bulldozer-bot merged 5 commits into from
Nov 20, 2025
Merged

Bump jersey to latest 2.x and 3.x versions #3307

bulldozer-bot merged 5 commits into from
Nov 20, 2025

Conversation

@aldexis
Copy link
Contributor

@aldexis aldexis commented Nov 19, 2025

Before this PR

We're relying on Jersey 3.1.3, which contains https://nvd.nist.gov/vuln/detail/CVE-2025-12383.

Sounds like there is 4.0.0 that has released, but bumping an entire major version seems riskier, and the vuln has been addressed as of 3.1.10.

Here are the release notes for the various versions:

After this PR

==COMMIT_MSG==
Bump jersey to latest 3.x version
==COMMIT_MSG==

Possible downsides?

There are a lot of changes (two years worth of them), so determining potential impact is hard.

@changelog-app
Copy link

changelog-app bot commented Nov 19, 2025
edited by aldexis
Loading

Generate changelog in changelog/@unreleased

Type (Select exactly one)

  • Feature (Adding new functionality)
  • Improvement (Improving existing functionality)
  • Fix (Fixing an issue with existing functionality)
  • Break (Creating a new major version by breaking public APIs)
  • Deprecation (Removing functionality in a non-breaking way)
  • Migration (Automatically moving data/functionality to a new system)

Description

Bump jersey to latest 2.x and 3.x versions

Check the box to generate changelog(s)

  • Generate changelog entry

aldexis
aldexis commented Nov 19, 2025
View reviewed changes
conjure-java-jersey-server/baseline-class-uniqueness.lock Outdated
# Run ./gradlew checkClassUniqueness --fix to update this file

## runtimeClasspath
[javax.el:javax.el-api, org.glassfish:jakarta.el]
Copy link
Contributor Author

@aldexis aldexis Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand why this is needed, when org.glassfish:jakarta.el seems to be removed from our versions.lock 🤔

Copy link
Contributor Author

@aldexis aldexis Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is because

  • We're forcing down the version in

    conjure-java-runtime/conjure-java-jersey-server/build.gradle

    Line 4 in 75af322

    def jerseyVersion = '2.40'
  • We were not forcing down the version of org.glassfish:jakarta.el, so we would get the higher version from the versions.lock file
    image
  • The jersey bump removed org.glassfish:jakarta.el as a transitive dependency, thus not forcing the version up anymore, leading to us using the requested 3.0.4, which has the conflicts

Because we were actually using a higher version anyway, which didn't contain the classes, we can just exclude it as a transitive dependency, to continue relying on javax.el:javax.el-api.

bjlaub
bjlaub reviewed Nov 19, 2025
View reviewed changes
conjure-java-jersey-server/build.gradle
version {
strictly jerseyVersion
}
// This conflicts with org.glassfish:jakarta.el (which contains the same classes), when at the version requested by 2.40
Copy link
Contributor

@bjlaub bjlaub Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the details of CVE-2025-12383 are a bit unclear right now, but perhaps we should bump https://github.com/palantir/conjure-java-runtime/pull/3307/files#diff-5f9e3e7b8a9bffc2554597f5c9408adc3b41614674d053b9cdf6c1b8ba08c4cbR4 to the latest version as well (2.47)?

@changelog-app
Copy link

changelog-app bot commented Nov 19, 2025

Successfully generated changelog entry!

Need to regenerate?

Simply interact with the changelog bot comment again to regenerate these entries.

📋Changelog Preview

💡 Improvements

  • Bump jersey to latest 2.x and 3.x versions (#3307)

@aldexis aldexis changed the title Bump jersey to latest 3.x version Bump jersey to latest 2.x and 3.x versions Nov 19, 2025
@bjlaub
Copy link
Contributor

bjlaub commented Nov 20, 2025

👍

@bulldozer-bot bulldozer-bot bot merged commit 14447f0 into develop Nov 20, 2025
5 checks passed
@bulldozer-bot bulldozer-bot bot deleted the ald/bump-jersey branch November 20, 2025 15:56
@autorelease3
Copy link

autorelease3 bot commented Nov 20, 2025

Released 8.26.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bjlaub bjlaub bjlaub left review comments

Assignees

No one assigned

Labels

autorelease merge when ready

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aldexis @bjlaub