Skip to content

deps(phase1): close CVEs and upgrade build tooling#11

Merged
sundancekid73 merged 1 commit into
mainfrom
deps/phase1-housekeeping
Jun 10, 2026
Merged

deps(phase1): close CVEs and upgrade build tooling#11
sundancekid73 merged 1 commit into
mainfrom
deps/phase1-housekeeping

Conversation

@sundancekid73

@sundancekid73 sundancekid73 commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Jackson 2.9.10 → 2.17.3 (all modules via BOM override): closes CVE-2020-25649 (XXE, 7.5), CVE-2021-46877 (DoS, 7.5), CVE-2022-42003/42004 (DoS, 7.5), CVE-2025-52999 (StackOverflow, 7.5)
  • Log4j2 2.16.0 → 2.24.3: closes CVE-2021-45105 (infinite recursion, 7.5)
  • commons-compress forced 1.24.0 → 1.27.1: closes CVE-2024-25710 (8.1), CVE-2024-26308 (5.5) — transitive via TestContainers
  • Gradle wrapper 6.8 → 7.6.4; com.palantir.docker 0.26.0 → 0.36.0; com.gradle.enterprise 3.5.1 → 3.16.2
  • Lombok 1.18.22 → 1.18.38; JUnit 5.7.1 → 5.11.4; TestContainers 1.20.1 → 1.20.6; JaCoCo 0.8.7 → 0.8.13
  • Fix Gradle 7 deprecations: testCompile → testImplementation, xml.enabled → xml.required, remove redundant default sourceSets block
  • KeywordDeserializer: replace removed javax.xml.bind.DatatypeConverter with java.time.OffsetDateTime

Remaining CVEs (addressed in Phase 2)

Spring Boot 2.4.5 itself carries CVEs in spring-core, spring-beans, logback, snakeyaml, and spring-data-mongodb — all resolved by the planned Spring Boot 2.7.18 upgrade.

Test plan

  • All 56 tests pass locally (./gradlew test)
  • JaCoCo report generates (./gradlew jacocoTestReport)
  • CI green on deps/phase1-housekeeping

Generated with Claude Code

@sundancekid73 @claude
deps(phase1): close CVEs and upgrade build tooling
ade5a09 
- Jackson all modules 2.9.10 → 2.17.3 (via BOM override): closes
  CVE-2020-25649 XXE, CVE-2021-46877 DoS, CVE-2022-42003/42004 DoS,
  CVE-2025-52999 StackOverflow
- Log4j2 2.16.0 → 2.24.3: closes CVE-2021-45105 infinite recursion
- commons-compress forced 1.24.0 → 1.27.1: closes CVE-2024-25710,
  CVE-2024-26308 (transitive via TestContainers)
- Lombok 1.18.22 → 1.18.38
- JUnit Jupiter 5.7.1 → 5.11.4 (umbrella; individual modules pinned
  by Boot BOM until Phase 2)
- TestContainers 1.20.1 → 1.20.6
- JaCoCo 0.8.7 → 0.8.13
- com.palantir.docker plugin 0.26.0 → 0.36.0
- com.gradle.enterprise plugin 3.5.1 → 3.16.2
- Gradle wrapper 6.8 → 7.6.4
- Fix Gradle 7 deprecations: testCompile → testImplementation,
  xml.enabled → xml.required; remove redundant default sourceSets block
- KeywordDeserializer: replace javax.xml.bind.DatatypeConverter
  (removed from JDK 9+) with java.time.OffsetDateTime

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sundancekid73 sundancekid73 merged commit 627dd81 into main Jun 10, 2026
8 checks passed
@sundancekid73 sundancekid73 deleted the deps/phase1-housekeeping branch June 10, 2026 07:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sundancekid73