chore: maintenance version bumps [24.9] (2026-05-22) [skip ci] by github-actions[bot] · Pull Request #8917 · vaadin/platform

github-actions · 2026-05-22T06:28:07Z

Automated maintenance-version updates against 24.9, discovered by scripts/check-versions.

Updates

kits/observability-kit-starter: jsVersion 3.2.0 → 3.2.1
kits/observability-kit-starter: javaVersion 3.2.0 → 3.2.1

Generated by scripts/check-versions/src/index.ts.

Automated maintenance-version updates against `24.9`, discovered by `scripts/check-versions`. ## Updates - `kits/observability-kit-starter`: jsVersion `3.2.0` → `3.2.1` - `kits/observability-kit-starter`: javaVersion `3.2.0` → `3.2.1` _Generated by `scripts/check-versions/src/index.ts`._

github-actions · 2026-05-22T06:46:24Z

Dependencies Report

🚫 Vulnerabilities:
- Vulnerabilities in: pkg:maven/com.vaadin/vaadin@24.9-SNAPSHOT [CVE-2026-2742] (osv-bomber,osv-scan)
  ·
- Vulnerabilities in: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.1.54 [CVE-2026-43515, CVE-2026-43513, CVE-2026-43514, CVE-2026-42498, CVE-2026-41284, CVE-2026-43512, CVE-2026-41293, BIT-tomcat-2026-43515, BIT-tomcat-2026-43513, BIT-tomcat-2026-43514, BIT-tomcat-2026-42498, BIT-tomcat-2026-41284, BIT-tomcat-2026-43512, BIT-tomcat-2026-41293] (osv-bomber,osv-scan,owasp)
  · cpe:2.3:a:apache:tomcat::::::::
  ·
- Vulnerabilities in: pkg:maven/io.netty/netty-codec@4.1.132.Final [CVE-2026-42583] (osv-bomber,osv-scan)
  ·
- Vulnerabilities in: pkg:maven/io.netty/netty-codec-dns@4.1.132.Final [CVE-2026-42579] (osv-bomber,osv-scan)
  ·
- Vulnerabilities in: pkg:maven/io.netty/netty-codec-mqtt@4.1.132.Final [CVE-2026-44248, CVE-2026-42581, CVE-2026-42579, CVE-2026-42584, CVE-2026-42582, CVE-2026-42583, CVE-2026-42585, CVE-2026-42587, CVE-2026-42586, CVE-2026-42580, CVE-2026-41417, CVE-2026-42578] (osv-bomber,osv-scan,owasp)
  · cpe:2.3:a:netty:netty::::::::
- Vulnerabilities in: pkg:maven/io.netty/netty-codec-redis@4.1.132.Final [CVE-2026-42586] (osv-bomber,osv-scan)
  ·
- Vulnerabilities in: pkg:maven/org.apache.commons/commons-configuration2@2.12.0 [CVE-2026-45205] (osv-bomber,osv-scan,owasp)
  · cpe:2.3:a:apache:commons_configuration::::::::
- Vulnerabilities in: pkg:maven/com.vaadin/flow-server@24.9-SNAPSHOT [CVE-2026-2742] (osv-scan)
  ·
- Vulnerabilities in: pkg:maven/io.netty/netty-codec-compression@4.1.132.Final [CVE-2026-42583] (osv-scan)
  ·
- Vulnerabilities in: pkg:maven/org.apache.tomcat/tomcat@10.1.54 [BIT-tomcat-2026-43515, CVE-2026-43515, BIT-tomcat-2026-43513, CVE-2026-43513, BIT-tomcat-2026-43514, CVE-2026-43514, BIT-tomcat-2026-42498, CVE-2026-42498, BIT-tomcat-2026-41284, CVE-2026-41284, BIT-tomcat-2026-43512, CVE-2026-43512, BIT-tomcat-2026-41293, CVE-2026-41293] (osv-scan)
  ·
- Vulnerabilities in: pkg:maven/org.apache.tomcat/tomcat-catalina@10.1.54 [BIT-tomcat-2026-43515, CVE-2026-43515, BIT-tomcat-2026-43513, CVE-2026-43513, BIT-tomcat-2026-43514, CVE-2026-43514, BIT-tomcat-2026-42498, CVE-2026-42498, BIT-tomcat-2026-41284, CVE-2026-41284, BIT-tomcat-2026-43512, CVE-2026-43512, BIT-tomcat-2026-41293, CVE-2026-41293] (osv-scan)
  ·
- Vulnerabilities in: pkg:maven/io.netty/netty-codec-memcache@4.1.132.Final [CVE-2026-42581, CVE-2026-42579, CVE-2026-42584, CVE-2026-42582, CVE-2026-42583, CVE-2026-42585, CVE-2026-42587, CVE-2026-44248, CVE-2026-42586, CVE-2026-42580, CVE-2026-41417, CVE-2026-42578] (owasp)
  · cpe:2.3:a:netty:netty::::::::
- Vulnerabilities in: pkg:maven/io.netty/netty-transport-udt@4.1.132.Final [CVE-2026-42581, CVE-2026-42579, CVE-2026-42584, CVE-2026-42582, CVE-2026-42583, CVE-2026-42585, CVE-2026-42587, CVE-2026-44248, CVE-2026-42586, CVE-2026-42580, CVE-2026-41417, CVE-2026-42578] (owasp)
  · cpe:2.3:a:netty:netty::::::::
- Vulnerabilities in: pkg:maven/org.springframework.boot/spring-boot-starter-aop@3.5.13 [CVE-2026-40974, CVE-2026-40971, CVE-2026-40972, CVE-2026-40975, CVE-2026-40973, CVE-2026-40977] (owasp)
  👌 Pulled in transitively via spring-cloud-kubernetes-fabric8-config:3.3.2 (the latest available release), where the platform parent already pins spring.boot.version to the latest 3.5.x. Spring dependency can be managed by the end user with using <spring.boot.version> or the parent spring boot starter — using the latest Spring Boot version is recommended.
  · cpe:2.3:a:vmware:spring_boot::::::::
- Vulnerabilities in: pkg:maven/com.vaadin/vaadin-core@24.9-SNAPSHOT [CVE-2026-2742, CVE-2026-2741] (owasp)
  · cpe:2.3:a:vaadin:vaadin::::::::
- Vulnerabilities in: pkg:maven/io.vertx/vertx-auth-common@4.5.25 [CVE-2026-6860] (owasp)
  · cpe:2.3:a:eclipse:vert.x::::::::
- Vulnerabilities in: pkg:maven/io.vertx/vertx-web-client@4.5.25 [CVE-2026-6860] (owasp)
  · cpe:2.3:a:eclipse:vert.x::::::::
🟠 Known Vulnerabilities:
- Vulnerabilities in: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.3 [CVE-2023-35116] (owasp)
  👌 Not a valid CVE report based on the vendor analysis and research
  · cpe:2.3:a:fasterxml:jackson-databind::::::::
- Vulnerabilities in: pkg:maven/me.friwi/jcef-api@jcef-ca49ada%2Bcef-135.0.20%2Bge7de5c3%2Bchromium-135.0.7049.85 [CVE-2024-21639, CVE-2024-21640, CVE-2024-9410] (owasp)
  👌 Wait for the update from the jcefmaven community. Meanwhile the swing-kit is supposed to be used with fixed websites and not to browse the internet, we have a check for that, so the only possible attacker would be the same person that created the swing application, aka our customer devs. so this vulnerability is not classified by us as critical issue
  · cpe:2.3:a:chromiumembedded:chromium_embedded_framework::::::::
  · cpe:2.3:a:ada:ada::::::::
- Vulnerabilities in: pkg:maven/com.networknt/json-schema-validator@1.5.9 [CVE-2025-15104] (owasp)
  👌 FP: The CVE belongs to Nu Html Checker which produce a false positive on Networknt JSON Schema Validator due to the overlapping keyword or an overly broad CPE mapping rule.
  · cpe:2.3:a:validator:validator::::::::
- Vulnerabilities in: pkg:maven/org.jetbrains.kotlin/kotlin-reflect@1.9.20 [CVE-2020-29582] (owasp)
  👌 The impact of this vulnerability is low, instead of taking the risk to break V24 with upgrading kotlin to 2.x, we focus on to not use deprecated API, to not use sensitive data in tests and to clean up the temp folders.
  · cpe:2.3:a:jetbrains:kotlin::::::::
  · cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.2.1:::::::*
  · cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::*
  · cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:::::::*
- Vulnerabilities in: pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.0 [CVE-2020-29582] (owasp)
  👌 The impact of this vulnerability is low, instead of taking the risk to break V24 with upgrading kotlin to 2.x, we focus on to not use deprecated API, to not use sensitive data in tests and to clean up the temp folders.
  · cpe:2.3:a:jetbrains:kotlin::::::::
  · cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.2.1:::::::*
  · cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::*
  · cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:::::::*
- Vulnerabilities in: pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.6.20 [CVE-2020-29582] (owasp)
  👌 The impact of this vulnerability is low, instead of taking the risk to break V24 with upgrading kotlin to 2.x, we focus on to not use deprecated API, to not use sensitive data in tests and to clean up the temp folders.
  · cpe:2.3:a:jetbrains:kotlin::::::::
  · cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.2.1:::::::*
  · cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::*
  · cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:::::::*
- Vulnerabilities in: pkg:maven/io.netty/netty-transport@4.1.133.Final [CVE-2026-42582] (owasp)
  👌 FP: Based on GHSA-2c5c-chwr-9hqw, the entire 4.1.x branch of Netty does not contain the HTTP/3 codec sub-module or the QpackDecoder class.
  · cpe:2.3:a:netty:netty::::::::
- Vulnerabilities in: pkg:javascript/quill@1.3.7 [CVE-2021-3163] (owasp)
  👌 Disputed. Researchers have claimed that this issue is not within the product itself, but is intended behavior in a web browser
  · cpe:2.3:a:slab:quill:4.8.0:::::node.js::
- Vulnerabilities in: pkg:maven/com.vaadin/vaadin-swing-kit-flow@2.4.2 [CVE-2021-33604] (owasp)
  👌 false report: this CVE is targeting Vaadin version prior 20, swing-kit-flow is using vaadin 24+ version, the related issue has been fixed.
  · cpe:2.3:a:vaadin:flow-server::::::::
  · cpe:2.3:a:vaadin:vaadin::::::::
📔 No Core License Issues
📔 No License Issues
🟠 Changes in 24.9-SNAPSHOT since V24.9.17
- 1 packages removed (1 external, 0 vaadin)
- 126 packages modified (33 external, 93 vaadin)
- 595 packages same (453 external, 142 vaadin)

[Click for more Details]

ZheSun88 approved these changes May 22, 2026

View reviewed changes

ZheSun88 enabled auto-merge (squash) May 22, 2026 06:36

ZheSun88 changed the title ~~chore: maintenance version bumps [24.9] (2026-05-22)~~ chore: maintenance version bumps [24.9] (2026-05-22) [skip ci] May 22, 2026

ZheSun88 merged commit 61f66c5 into 24.9 May 22, 2026
3 of 4 checks passed

ZheSun88 deleted the bot/versions-24.9-2026-05-22 branch May 22, 2026 06:55

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: maintenance version bumps [24.9] (2026-05-22) [skip ci]#8917

chore: maintenance version bumps [24.9] (2026-05-22) [skip ci]#8917
ZheSun88 merged 1 commit into
24.9from
bot/versions-24.9-2026-05-22

github-actions Bot commented May 22, 2026

Uh oh!

github-actions Bot commented May 22, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

github-actions Bot commented May 22, 2026

Updates

Uh oh!

github-actions Bot commented May 22, 2026

Dependencies Report

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant