Upgrading Netty, Jetty and Spring 6

[shub-est]

Why

To remove the CVEs as outlined below:

Netty

CVE-2025-55163
CVE-2025-58056
CVE-2025-58057

Jetty
CVE-2025-5115

Spring 6
CVE-2024-38820
CVE-2025-22233
CVE-2025-41234
CVE-2025-41249

What

Upgrade the dependency versions

Netty - 4.1.122.Final -> 4.1.125.Final
Jetty - 12.0.22 -> 12.0.27
Jetty 11 - 11.0.25 -> 11.0.26
Spring 6 - 6.0.23 -> 6.2.11

Evidence
trivy_output.json

[senivam]

How does it differ from #6006? If you intend to target it for 3.1, then you should be aware that only one PR applies to the 3.1 branch. It will be later propagated (through a merge) to the 4.0 branch. So, both will be up to date. If my statement is true, then #6006 should be closed in favor of this.

[shub-est]

Hi @senivam, you are right, the intention here was to merge changes in the branches independently. Looking at the commits, my understanding was that the branches are developed independently. I will close the #6006 in favour of this PR.

Any thoughts on #6005?

[senivam]

Thank you @shub-est for aligning the PRs. Regarding the #6005 - the whole Jettison 1 module is deprecated and is in Jersey for backwards compatibility. The question is, if you really use the Jettison 1, or the purpose of the PR is only to clean out CVE's. And the note near Jettisson version warns about Jersey's incompatibility with newer versions (TKCs are failing or so). I doubt if it's possible to update the Jettison 1 version in a way that satisfies all checks in Jersey.

[shub-est]

I was working for cleaning up of CVEs for now.

Thanks for the clarification @senivam

[jansupol]

Upgrading Spring brings in a different version of micrometer-observation in Spring Example

[ERROR] Dependency convergence error for io.micrometer:micrometer-observation:jar:1.15.1. Paths to dependency are:
[ERROR] +-org.glassfish.jersey.validation:dependency-convergences:war:0.0.1
[ERROR]   +-org.glassfish.jersey.ext:jersey-micrometer:jar:3.1.99-SNAPSHOT:compile
[ERROR]     +-io.micrometer:micrometer-core:jar:1.15.1:compile
[ERROR]       +-io.micrometer:micrometer-observation:jar:1.15.1:compile
[ERROR] and
[ERROR] +-org.glassfish.jersey.validation:dependency-convergences:war:0.0.1
[ERROR]   +-org.glassfish.jersey.examples:helloworld-spring-webapp:jar:3.1.99-SNAPSHOT:compile
[ERROR]     +-org.springframework:spring-context:jar:6.2.11:compile
[ERROR]       +-io.micrometer:micrometer-observation:jar:1.14.11:compile
[ERROR] -> [Help 1]

[senivam]

@shub-est , regarding #6005 - for some reason, I've mixed the Jettison module with Jackson 1 module, so the part about

the whole Jettison 1 module is deprecated and is in Jersey for backwards compatibility

is not valid because it's about jackson1 module. However, the remaining part is valid, and in conjunction with that, I would recommend that instead of updating the version directly (if it really does not work), make the dependency of Jettison <scope>provided</provided> so it won't be directly dependent, thus it won't bring CVEs from vulnerable Jettison.

[senivam]

Regarding the build failure, you have to add the exclusion of

          <exclusions>
                <exclusion>
                    <groupId>io.micrometer</groupId>
                    <artifactId>micrometer-observation</artifactId>
                </exclusion>
            </exclusions>

from the

         <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-context</artifactId>
            <version>${spring6.version}</version>
        </dependency>

in the <artifactId>helloworld-spring-webapp</artifactId> example So, the resulting dependency would look like:

<dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-context</artifactId>
            <exclusions>
                <exclusion>
                    <groupId>io.micrometer</groupId>
                    <artifactId>micrometer-observation</artifactId>
                </exclusion>
            </exclusions>
            <version>${spring6.version}</version>
        </dependency>

This will solve the dependency-convergence validation failure.