Skip to content

fix: resolve dependabot security alerts#631

Merged
jordeu merged 1 commit into
masterfrom
fix/dependabot-security-alerts
May 22, 2026
Merged

fix: resolve dependabot security alerts#631
jordeu merged 1 commit into
masterfrom
fix/dependabot-security-alerts

Conversation

@jordeu
Copy link
Copy Markdown
Member

@jordeu jordeu commented May 22, 2026

Summary

Fixes all 6 open Dependabot alerts on the repository.

Alert Dep Was Now Path
#19/#18/#17 log4j-core 2.25.3 2.25.4 buildscript (yumi licenser)
#16 (high) plexus-utils 4.0.2 4.0.3 buildscript (yumi licenser)
#14 jackson-core 2.18.0 2.18.6 runtimeClasspath (jersey)
#13 jgit 6.7.0 6.10.1 buildscript (yumi licenser)

Changes

  • dev.yumi.gradle.licenser 3.0.1 → 4.0.0 — picks up jgit 6.10.1.
  • Licenser moved from plugins {} to buildscript { dependencies { constraints { ... } } } so we can override its still-vulnerable transitives (log4j-core 2.25.3, plexus-utils 4.0.2). Once yumi 4.0.1+ ships with those bumps the buildscript block can be reverted to plain plugins { alias(libs.plugins.yumiLicenser) }.
  • Jackson BOM 2.18.6 added as a platform on both implementation and testImplementation — aligns jackson-core/jackson-databind/jackson-annotations/jackson-module-jaxb-annotations to 2.18.6.
  • Licenser 4.0.0 is stricter about files without a registered header handler (failed on .csv in src/test/resources). Added excludes for json, csv, txt, sh.

Verification

  • ./gradlew buildEnvironment → buildscript classpath shows log4j-core 2.25.4, plexus-utils 4.0.3, jgit 6.10.1.
  • ./gradlew :dependencyInsight --dependency jackson-core --configuration runtimeClasspath → 2.18.6 (by constraint).
  • ./gradlew checkLicenses → passes (60 test files scanned).
  • Full compileJava not run locally (PAT lacks read:packages scope for tower-java-sdk); CI will validate.

Test plan

  • CI build passes
  • CI unit tests pass
  • Confirm Dependabot alerts close after merge / security-submit-dependencies workflow runs on master

@jordeu
fix: resolve dependabot security alerts
c3293f4 
- Bump dev.yumi.gradle.licenser 3.0.1 -> 4.0.0 (pulls jgit 6.10.1, fixes GHSA-vrpq-qp53-qv56)
- Apply licenser via buildscript {} so we can constrain its transitive deps:
    - log4j-core 2.25.3 -> 2.25.4 (GHSA-445c-vh5m-36rj, GHSA-6hg6-v5c8-fphq, GHSA-3pxv-7cmr-fjr4)
    - plexus-utils 4.0.2 -> 4.0.3 (GHSA-6fmv-xxpf-w3cw)
- Add jackson-bom 2.18.6 platform to align Jackson modules (jackson-core 2.18.0 -> 2.18.6, GHSA-72hv-8253-57qq)
- Add json/csv/txt/sh exclusions for the stricter yumi licenser 4.0.0 test resource scan
@jordeu jordeu marked this pull request as ready for review May 22, 2026 06:27
@jordeu jordeu requested a review from pditommaso May 22, 2026 07:51
@jordeu jordeu merged commit 85a811b into master May 22, 2026
11 checks passed
@jordeu jordeu mentioned this pull request May 22, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@munishchouhan munishchouhan munishchouhan approved these changes

@arnaualcazar arnaualcazar Awaiting requested review from arnaualcazar

@stefanoboriero stefanoboriero Awaiting requested review from stefanoboriero

@pditommaso pditommaso Awaiting requested review from pditommaso

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jordeu @munishchouhan