bump all dependenciess with vulnerabilities #2141
Conversation
|
resolved conflict with vertx which was bumped in another PR |
|
@CCisGG could you please review and merge this change? |
| jettyVersion=9.4.53.v20231009 | ||
| zookeeperVersion=3.8.4 | ||
| nettyVersion=4.1.108.Final | ||
| jettyVersion=9.4.54.v20240208 |
There was a problem hiding this comment.
There's a newer version for jetty, 9.4.54 has a medium one: https://nvd.nist.gov/vuln/detail/CVE-2024-8184
9.4.56.v20240826
There was a problem hiding this comment.
I think moving to 9.4.56.v20240826 should be safe
| nettyVersion=4.1.100.Final | ||
| jettyVersion=9.4.53.v20231009 | ||
| zookeeperVersion=3.8.4 | ||
| nettyVersion=4.1.108.Final |
There was a problem hiding this comment.
vertx uses 4.1.110 and most of the cases the actually used netty lib version will be that. Would it make sense to upgrade to 4.1.110.Final?
There was a problem hiding this comment.
Makes sense, especially if a major dependency like Vert.x already uses that version
There was a problem hiding this comment.
there is 4.1.114.Final which doesn't seem to have any CVE
Bump dependencies for vulnerabilities. I've tried to keep in the major/minor track, using only patch versions where possible, but
nimbus-jose-jwtneeded to have a minor bump as well to avoid vulnerabilities.This PR resolves #2140.