Skip to content

Commit 155560a

Browse files
committed
Bump dependencies to address CVEs
- Bump log4j from 2.25.3 to 2.25.4 (CVE-2026-34480, CVE-2026-34478, CVE-2026-34477) - Bump jetty from 9.4.57 to 9.4.58 in hdfs-fixture (CVE-2026-2332) - Upgrade maven-model from 3.9.6 to 3.9.16, add plexus-xml 3.0.1 (CVE-2025-67030) - Force log4j-core to 2.25.4 in buildSrc - Bump commons-configuration2 from 2.11.0/2.13.0 to 2.15.0 (CVE-2026-34479) - Bump jsoup from 1.20.1 to 1.22.2 (CVE-2026-5598, CVE-2025-33042) - Bump Jackson from 2.18.6 to 2.18.8 (CVE-2026-0636, CVE-2026-5588) - Bump reactor-netty from 1.2.9 to 1.2.18, reactor-core from 3.7.5 to 3.7.19 (CVE-2026-24281, CVE-2026-24308) Signed-off-by: Andrew Ross <andrross@amazon.com>
1 parent 0335a97 commit 155560a

101 files changed

Lines changed: 64 additions & 58 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

buildSrc/build.gradle

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -136,7 +136,8 @@ dependencies {
136136
api 'de.thetaphi:forbiddenapis:3.8'
137137
api 'com.avast.gradle:gradle-docker-compose-plugin:0.17.6'
138138
api "org.yaml:snakeyaml:${props.getProperty('snakeyaml')}"
139-
api 'org.apache.maven:maven-model:3.9.6'
139+
api 'org.apache.maven:maven-model:3.9.16'
140+
api 'org.codehaus.plexus:plexus-xml:3.0.1'
140141
api 'com.networknt:json-schema-validator:1.2.0'
141142
api 'org.jruby.jcodings:jcodings:1.0.58'
142143
api 'org.jruby.joni:joni:2.2.1'
@@ -165,6 +166,7 @@ dependencies {
165166
configurations.all {
166167
resolutionStrategy {
167168
force "com.google.guava:guava:${props.getProperty('guava')}"
169+
force "org.apache.logging.log4j:log4j-core:${props.getProperty('log4j')}"
168170
}
169171
}
170172

buildSrc/src/testKit/thirdPartyAudit/sample_jars/build.gradle

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ repositories {
1818
}
1919

2020
dependencies {
21-
implementation "org.apache.logging.log4j:log4j-core:2.24.3"
21+
implementation "org.apache.logging.log4j:log4j-core:2.25.4"
2222
}
2323

2424
["0.0.1", "0.0.2"].forEach { v ->
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
4b4c09f49a6fa2fa122554453c2d71b5bf2077ef

client/rest/licenses/reactor-core-3.7.5.jar.sha1

Lines changed: 0 additions & 1 deletion
This file was deleted.

client/sniffer/licenses/jackson-core-2.18.6.jar.sha1

Lines changed: 0 additions & 1 deletion
This file was deleted.
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
459eb2c4bb30bd6898eb9bbe9d7a4c4140529b8b

distribution/tools/upgrade-cli/licenses/jackson-annotations-2.18.6.jar.sha1

Lines changed: 0 additions & 1 deletion
This file was deleted.
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
655290d9c95ce378c4b5177b858eefbce0b7867a

distribution/tools/upgrade-cli/licenses/jackson-databind-2.18.6.jar.sha1

Lines changed: 0 additions & 1 deletion
This file was deleted.
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
4d2aa1ce8a37aefc6f65438f18a8d6d61b2a7450

0 commit comments

Comments
 (0)