Solve vulnerabilities bu bumping dependencies versions#288
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the Gradle version catalog to change dependency versions, aiming to address reported vulnerabilities by moving libraries to newer (and in a few cases older) releases.
Changes:
- Bumps multiple platform/library versions (Spring Boot/Framework, Jackson, Netty/Reactor Netty, Commons Lang, Gson, Byte Buddy, etc.).
- Adjusts some dependencies to lower versions (notably Spring Security, Spring Session, and SnakeYAML).
- Changes Jackson annotations to a separately pinned version instead of using the shared Jackson version reference.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| springBoot = "3.5.13" | ||
| springSecurity = "6.4.5" | ||
| springFramework = "6.2.17" | ||
| springSession = "3.4.5" |
There was a problem hiding this comment.
The PR title says this change solves vulnerabilities by bumping dependency versions, but springSecurity (6.5.1 → 6.4.5) and springSession (3.5.1 → 3.4.5) are downgrades here. If the intent is to upgrade for CVE fixes, these should likely move forward (or the PR title/description should be updated to reflect the downgrade rationale).
| hibernateValidatorAnnotationProcessor = { group = "org.hibernate.validator", name = "hibernate-validator-annotation-processor", version.ref = "hibernateValidator" } | ||
| hibernateValidatorCdi = { group = "org.hibernate.validator", name = "hibernate-validator-cdi", version.ref = "hibernateValidator" } | ||
| jacksonAnnotations = { group = "com.fasterxml.jackson.core", name = "jackson-annotations", version.ref = "jackson" } | ||
| jacksonAnnotations = { group = "com.fasterxml.jackson.core", name = "jackson-annotations", version = "2.21" } |
There was a problem hiding this comment.
jacksonAnnotations is pinned to 2.21 while the rest of Jackson uses version.ref = "jackson" (currently 2.21.2). This breaks the version-alignment pattern used for Jackson modules in this catalog and can lead to mixed Jackson patch versions on the classpath. Prefer using version.ref = "jackson" (or pin 2.21.2 consistently) unless there is a documented compatibility reason to diverge.
| jacksonAnnotations = { group = "com.fasterxml.jackson.core", name = "jackson-annotations", version = "2.21" } | |
| jacksonAnnotations = { group = "com.fasterxml.jackson.core", name = "jackson-annotations", version.ref = "jackson" } |
| reflections = { group = "org.reflections", name = "reflections", version = "0.9.12" } | ||
| snakeYaml = { group = "org.yaml", name = "snakeyaml", version = "2.4" } | ||
| snakeYaml = { group = "org.yaml", name = "snakeyaml", version = "2.2" } | ||
| springAop = { group = "org.springframework", name = "spring-aop", version.ref = "springFramework" } |
There was a problem hiding this comment.
This change downgrades SnakeYAML (2.4 → 2.2). If this PR’s goal is to address vulnerabilities by upgrading dependencies, this is going in the opposite direction and may reintroduce known issues unless there’s a specific reason to pin to 2.2.
No description provided.