Skip to content

Bump io.undertow:undertow-servlet from 2.3.18.Final to 2.3.20.Final#3241

Merged
manovotn merged 2 commits into
masterfrom
dependabot/maven/master/io.undertow-undertow-servlet-2.3.20.Final
Nov 26, 2025
Merged

Bump io.undertow:undertow-servlet from 2.3.18.Final to 2.3.20.Final#3241
manovotn merged 2 commits into
masterfrom
dependabot/maven/master/io.undertow-undertow-servlet-2.3.20.Final

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Nov 1, 2025
edited
Loading

Bumps io.undertow:undertow-servlet from 2.3.18.Final to 2.3.20.Final.

Release notes

Sourced from io.undertow:undertow-servlet's releases.

v2.3.20.Final

Release 2.3.20.Final fixes CVE-2025-9784 Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.3.20.Final

v.2.3.19.Final

Release 2.3.19.Final fixes CVE-2024-4109 Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.3.19.Final

... (truncated)

Commits
  • 5e6c73d Prepare 2.3.20.Final
  • 967ec02 Merge pull request #1803 from fl4via/backport-fixes_2.3.x
  • 2448f7a [UNDERTOW-2598] Replace the delayed cleaning algorithm in DirectByteBufferDea...
  • e7c28ac Merge pull request #1802 from fl4via/backport-fixes_2.3.x
  • 39fcfbe [UNDERTOW-2598] CVE-2025-9784 At AbstractFramedStreamSinkChannel, safeguard a...
  • 1d013b2 [UNDERTOW-2598] CVE-2025-9784 Add a delay in the actual direct byte buffer de...
  • afbd244 [UNDERTOW-2598] CVE-2025-9784 Prevent the dispatch of an exchange if the conn...
  • 4610806 [UNDERTOW-2598] CVE-2025-9784 Prevent a MadeYouReset HTTP2 attack by sending ...
  • c5a9817 [UNDERTOW-2235] Properly handle non servlet methods dispatched as error into ...
  • 5756047 [UNDERTOW-2604] fix potential NPE from alternate ctor
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Nov 1, 2025
@dependabot dependabot Bot requested a review from manovotn as a code owner November 1, 2025 11:03
@dependabot dependabot Bot added java Pull requests that update Java code dependencies Pull requests that update a dependency file labels Nov 1, 2025
@dependabot dependabot Bot mentioned this pull request Nov 1, 2025
Closed
@manovotn
Copy link
Copy Markdown
Member

manovotn commented Nov 25, 2025

@dependabot rebase

@dependabot dependabot Bot force-pushed the dependabot/maven/master/io.undertow-undertow-servlet-2.3.20.Final branch from ed5fb43 to 4911655 Compare November 25, 2025 11:31
@manovotn
Copy link
Copy Markdown
Member

manovotn commented Nov 25, 2025

This is a really awkward error because the class and its method most definitely is on the classpath. Plus there was no recent change to the method which might cause this. I tried forcibly swapping to several other versions too but this always fails 🤔

java.lang.NoSuchMethodError: 'int io.smallrye.common.constraint.Assert.checkMinimumParameter(java.lang.String, int, int)'
at org.jboss.threads.EnhancedQueueExecutor$Builder.setCorePoolSize(EnhancedQueueExecutor.java:567)
at org.xnio.XnioWorker.(XnioWorker.java:150)
at org.xnio.nio.NioXnioWorker.(NioXnioWorker.java:84)
at org.xnio.nio.NioXnio.build(NioXnio.java:232)
at org.xnio.XnioWorker$Builder.build(XnioWorker.java:1193)
at org.xnio.Xnio.createWorker(Xnio.java:481)
at org.xnio.Xnio.createWorker(Xnio.java:463)
at org.xnio.Xnio.createWorker(Xnio.java:450)
at io.undertow.Undertow.start(Undertow.java:125)
at org.jboss.weld.environment.servlet.undertow.UndertowSmokeTest.testUndertow(UndertowSmokeTest.java:73)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:569)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63)
at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329)
at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293)
at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
at org.junit.runners.ParentRunner.run(ParentRunner.java:413)
at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:316)
at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:240)
at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:214)
at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:155)
at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:385)
at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:162)
at org.apache.maven.surefire.booter.ForkedBooter.run(ForkedBooter.java:507)
at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:495)

dependabot Bot and others added 2 commits November 26, 2025 10:10
@dependabot @manovotn
Bump io.undertow:undertow-servlet from 2.3.18.Final to 2.3.20.Final
eeca479 
Bumps [io.undertow:undertow-servlet](https://github.com/undertow-io/undertow) from 2.3.18.Final to 2.3.20.Final.
- [Release notes](https://github.com/undertow-io/undertow/releases)
- [Commits](undertow-io/undertow@2.3.18.Final...2.3.20.Final)

---
updated-dependencies:
- dependency-name: io.undertow:undertow-servlet
  dependency-version: 2.3.20.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@manovotn
Unify SR common artifact version brought by jboss-logmanager and unde…
2f6015c 
…rtow-servlet
@manovotn manovotn force-pushed the dependabot/maven/master/io.undertow-undertow-servlet-2.3.20.Final branch from 9b667ad to 2f6015c Compare November 26, 2025 09:11
@manovotn
Copy link
Copy Markdown
Member

manovotn commented Nov 26, 2025

Turns out that jboss-logmanager and undertow-servlet were both transitively pulling in some parts of SmallRye Common dependencies in different versions; namely logmanager was bringing in too old version for undertow to chew on.
I have added an explicit BOM version for SR common for now; we should be able to remove that once we can have newer logmanager than 3.1.2.Final

@manovotn
Copy link
Copy Markdown
Member

manovotn commented Nov 26, 2025

Hm, the CI failure is while attempting to download latest WFLY from their CI, not much I can do there:

Run wget https://ci.wildfly.org/guestAuth/repository/download/WF_WildflyPreviewNightly/latest.lastSuccessful/wildfly-preview-latest-SNAPSHOT.zip
--2025-11-26 09:15:04-- https://ci.wildfly.org/guestAuth/repository/download/WF_WildflyPreviewNightly/latest.lastSuccessful/wildfly-preview-latest-SNAPSHOT.zip
Resolving ci.wildfly.org (ci.wildfly.org)... 8.43.85.112
Connecting to ci.wildfly.org (ci.wildfly.org)|8.43.85.112|:443... connected.
HTTP request sent, awaiting response... 500
2025-11-26 09:16:45 ERROR 500: (no description).
Error: Process completed with exit code 8.

@manovotn manovotn merged commit b4fd881 into master Nov 26, 2025
30 of 32 checks passed
@manovotn manovotn deleted the dependabot/maven/master/io.undertow-undertow-servlet-2.3.20.Final branch November 26, 2025 17:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@manovotn manovotn Awaiting requested review from manovotn manovotn is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@manovotn