Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fix dependency vulnerabilities#342

Merged
danielalfarourrea merged 6 commits into
masterfrom
feature/fix-deps-vulns
May 20, 2026
Merged

Fix dependency vulnerabilities#342
danielalfarourrea merged 6 commits into
masterfrom
feature/fix-deps-vulns

Conversation

@danielalfarourrea

Copy link
Copy Markdown
Contributor

Summary

Bumps third-party dependencies to remediate published CVEs and removes a long-standing pom.xml anomaly that mixed core/plugin coordinates with runtime dependencies.

Changes

  • Bump httpclient5 5.3.1 → 5.4.3 (CVE-2025-27820)
  • Bump commons-compress 1.26.2 → 1.27.1 (CVE-2024-47554)
  • Remove maven-core / maven-javadoc-plugin entries from runtime deps; declare httpclient v4 explicitly (breaking)
  • Bump gson 2.8.9 → 2.11.0
  • Bump velocity-engine-core 2.3 → 2.4.1

Test plan

  • CI green

danielalfarourrea and others added 6 commits May 9, 2026 15:37
Patches CVE-2025-27820 (CVSS 9.1, Critical): improper URI handling
allows SSRF / redirect spoofing in apache-httpclient5. Fix is in 5.4.3.
This is the only Critical-severity CVE in the full backend-sdks
remediation plan.

Changes
-------
* pom.xml: httpclient5 dependency bumped from 5.3.1 to 5.4.3.

5.3.x -> 5.4.x maintains the public API. The fixes live inside
URIBuilder and redirect handling, not exposed to consumers of this
SDK.

Validated locally
-----------------
* mvn compile: BUILD SUCCESS (334 source files).
* mvn test: 179 tests, 0 failures, 0 errors, 0 skipped.
* mvn package: BUILD SUCCESS (jar + sources + javadoc).

Impact
------
No source files (.java) modified. Public SDK API is unchanged.
Consumers receive the patched httpclient5 transitively when they
update their dependency on this SDK; no code action required on
their side.

No breaking change.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
Patches CVE-2024-47554 (CVSS 7.5, High): denial of service via
disproportionate resource consumption (UncheckedIOException without
bound) when processing crafted compressed archives. Fix is in 1.27.1.

Changes
-------
* pom.xml: commons-compress dependency bumped from 1.26.2 to 1.27.1.

Validated locally
-----------------
* mvn compile: BUILD SUCCESS.
* mvn test: 179 tests, 0 failures, 0 errors, 0 skipped.
* mvn package: BUILD SUCCESS.

Impact
------
No source files (.java) modified. Patch update with stable API.
Consumers receive the patched commons-compress transitively.

No breaking change.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
…ttpclient v4 explicitly

Audit flagged that maven-javadoc-plugin and maven-core were declared
under <dependencies> instead of <build><plugins>. That mistake had two
side effects:

  1. The whole Maven internals tree leaked into the runtime classpath
     (commons-configuration2, plexus-utils, etc.), inflating the attack
     surface and bringing in transitive CVEs (CVE-2024-29131,
     CVE-2024-29133, CVE-2022-4244, CVE-2022-4245).
  2. It became the implicit provider of Apache HttpClient v4, which
     MPDefaultHttpClient actually uses (36 imports of org.apache.http.*
     in src/main/java). httpclient v4 was being pulled transitively
     without an explicit version pin.

Changes
-------
* pom.xml: removed the <dependency> entries for maven-javadoc-plugin
  3.8.0 (with its inner exclusions) and maven-core 3.9.6.
* pom.xml: added an explicit <dependency> on
  org.apache.httpcomponents:httpclient:4.5.14, which is the real HTTP
  client used by MPDefaultHttpClient. 4.5.14 is the latest 4.5.x
  patch line and is hardened against CVE-2020-13956.
* maven-javadoc-plugin remains correctly declared in <build><plugins>
  for its actual purpose (generating javadoc during the build); only
  the bogus runtime-dependency declaration was removed.

No source files (.java) modified.

Validated locally
-----------------
* mvn compile: BUILD SUCCESS.
* mvn test: 179 tests, 0 failures, 0 errors, 0 skipped.
* mvn package: BUILD SUCCESS.
* dependency:tree confirms maven-core, maven-javadoc-plugin,
  commons-configuration2 and plexus-* are out of the tree, while
  httpclient 4.5.14 + httpcore 4.4.16 are now resolved as direct
  dependencies.

CVEs closed
-----------
* CVE-2024-29131 / CVE-2024-29133 (commons-configuration2)
* CVE-2022-4244 / CVE-2022-4245 (plexus-utils)
* Pinning httpclient to 4.5.14 also covers CVE-2020-13956 if any
  consumer was previously pulling an older 4.5.x version through
  maven-core.

BREAKING CHANGE: consumers that were implicitly relying on Maven
internals being on the SDK runtime classpath (e.g. importing
commons-configuration2 or plexus-utils through this SDK without
declaring them themselves) must now declare those dependencies
directly in their own pom. This was always bad practice and the
audit recommends shipping this in the next major version.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
Refreshes the JSON serialization library to a current stable minor.
2.8.9 is from 2021 and accumulated bugfixes have shipped since.
gson 2.x is backward-compatible by design, so this is effectively
a drop-in update.

Changes
-------
* pom.xml: gson dependency bumped from 2.8.9 to 2.11.0.

Validated locally
-----------------
* mvn compile: BUILD SUCCESS.
* mvn test: 179 tests, 0 failures, 0 errors, 0 skipped.
* mvn package: BUILD SUCCESS.

Impact
------
No source files (.java) modified. The SDK consumes gson internally
for JSON marshalling; consumers of the SDK do not see this change
beyond receiving the patched library transitively.

No breaking change.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
Refreshes the Velocity template engine to its current stable line.
2.3 is from 2021. 2.4.x adds SSTI hardening and accumulated bugfixes.

Changes
-------
* pom.xml: velocity-engine-core dependency bumped from 2.3 to 2.4.1
  (the existing exclusion of org.hsqldb:hsqldb is preserved).

Validated locally
-----------------
* mvn compile: BUILD SUCCESS.
* mvn test: 179 tests, 0 failures, 0 errors, 0 skipped.
* mvn package: BUILD SUCCESS.

Impact
------
No source files (.java) modified. The SDK does not import any
org.apache.velocity.* class in src/main/java or src/test/java
(verified by grep). The behavior changes in Velocity 2.4 around
UberspectImpl and context handling are therefore inert for this SDK.

No breaking change.

Note for a follow-up audit: both velocity-engine-core and
velocity-tools-generic are declared in pom.xml but have zero usages
in the SDK source tree. They are candidates for removal in a future
cleanup PR; that scope is left out of this change set.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
@danielalfarourrea danielalfarourrea merged commit 9eed570 into master May 20, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant