Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Centralize dependency versions and bump where necessary #2929

Merged
merged 1 commit into from
Nov 15, 2022
Merged

Centralize dependency versions and bump where necessary #2929

merged 1 commit into from
Nov 15, 2022

Conversation

joschi
Copy link
Contributor

@joschi joschi commented Nov 14, 2022
edited

  • Breaking change? (if so, please describe the impact and migration path for existing application instances)

What changes did you make? (Give an overview)

  • Centralize dependencies in parent POM's dependencyManagement section.
  • Bump versions of dependencies which have known security issues (open CVEs).

Refs #2805
Refs #2926
Closes #2711

Is there anything you'd like reviewers to focus on?

How Has This Been Tested? (put an "x" (case-sensitive!) next to an item)

  • No need to
  • Manually (please, describe, if necessary)
  • Unit checks
  • Integration checks
  • Covered by existing automation

Checklist (put an "x" (case-sensitive!) next to all the items, otherwise the build will fail)

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (e.g. ENVIRONMENT VARIABLES)
  • My changes generate no new warnings (e.g. Sonar is happy)
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged

Check out Contributing and Code of Conduct

A picture of a cute animal (not mandatory but encouraged)

Happy dog

@joschi joschi requested review from a team and Haarolean as code owners November 14, 2022 09:27
@joschi
Copy link
Contributor Author

joschi commented Nov 14, 2022

Might also reference #2926.

@joschi joschi force-pushed the dependency-updates-cves-pr-2805 branch 3 times, most recently from 5226223 to d2ef42e Compare November 14, 2022 10:05
Haarolean
Haarolean approved these changes Nov 14, 2022
View reviewed changes
kafka-ui-serde-api/pom.xml Outdated Show resolved Hide resolved
@Haarolean Haarolean added scope/backend type/dependencies A pull request/issue dedicated to updating the dependency(-ies) labels Nov 14, 2022
@Haarolean Haarolean linked an issue Nov 14, 2022 that may be closed by this pull request
CVEs fixes, October 22 #2711
Closed
@joschi joschi force-pushed the dependency-updates-cves-pr-2805 branch 2 times, most recently from 6c3aa3d to 00be70d Compare November 14, 2022 11:31
@joschi joschi force-pushed the dependency-updates-cves-pr-2805 branch from 00be70d to 2104d81 Compare November 14, 2022 16:59
@sonarcloud
Copy link

sonarcloud bot commented Nov 14, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@Haarolean Haarolean merged commit 0d0a244 into provectus:master Nov 15, 2022
@joschi joschi deleted the dependency-updates-cves-pr-2805 branch November 15, 2022 11:05
Haarolean
Haarolean reviewed Dec 2, 2022
View reviewed changes
pom.xml
<org.projectlombok.version>1.18.24</org.projectlombok.version>
<protobuf-java.version>3.21.9</protobuf-java.version>
<reactor-netty.version>1.1.0</reactor-netty.version>
<scala-lang.library.version>2.13.9</scala-lang.library.version>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joschi any idea how did this thing get in here? There's no scala library prior to your commit 🤔

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Haarolean Kafka (org.apache.kafka:kafka_2.13 used in kafka-ui-e2e-checks) is written in Scala and was pulling in a vulnerable version.

This property is only used in dependency management, so that Maven will pull in the non-vulnerable version of the Scala standard library instead.

https://github.com/personio/kafka-ui/blob/2104d81e139bb6b489594dc10caf676ea725dcf9/pom.xml#L132-L136

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joschi thank you very much, I prefer to indicate this in poms, I'll add the comment

javalover123 pushed a commit to javalover123/kafka-ui that referenced this pull request Dec 7, 2022
@joschi
Centralize dependency versions and bump where necessary (provectus#2929)
8b6c699
Narekmat pushed a commit that referenced this pull request Dec 12, 2022
@joschi @Narekmat
Centralize dependency versions and bump where necessary (#2929)
71826c1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Haarolean Haarolean Haarolean approved these changes

Assignees
No one assigned
Labels
scope/backend type/dependencies A pull request/issue dedicated to updating the dependency(-ies)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVEs fixes, October 22
2 participants
@joschi @Haarolean