fix(deps): update java dependencies #301
Open
+76
−76
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
e8795bd to
02f3452
Compare
56481a3 to
5396273
Compare
1a0eafa to
89bdf3d
Compare
e9d5758 to
a86ecae
Compare
538f74b to
603fbf4
Compare
05f57c2 to
4894b71
Compare
4e317fa to
1ed91f2
Compare
a19071b to
00caa8d
Compare
4ddfaa8 to
8009ac9
Compare
c243730 to
1f44fab
Compare
1f44fab to
d7442ff
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
6.20.0->6.21.54.13.1->4.13.24.0.0-M2->4.0.04.0.0-M2->4.0.02.24.2->2.25.32.24.2->2.25.32.12.4->2.22.23.0.0->3.6.12.2.20->2.2.412.2.20->2.2.413.11.0->3.14.14.0.2->4.0.64.0.2->4.0.46.0.0->6.1.02.9->2.1042.3.9->42.7.83.4.0->3.5.12.3->2.82.15.3->2.20.11.11.3->1.15.45.1.1->5.1.36.2.1->6.5.76.2.1->6.5.72.5.5->2.66.2.1->6.5.72.1->2.5.12.2.1->2.46.2.1->6.2.151.6->1.15.43.4.1->3.12.02.14.0->2.21.01.10.0->1.15.01.2.1->1.6.06.2.1->6.2.153.6.0->3.8.02.15.3->2.206.2.1->6.2.152.19->2.22.22.15.3->2.20.12.15.3->2.20.13.3.1->3.5.12.15.3->2.20.13.1->3.14.13.1.1->3.9.03.5.0->3.12.02.8->2.10.112.1.0->12.1.512.1.0->12.1.512.1.0->12.1.512.1.0->12.1.512.1.0->12.1.512.1.0->12.1.56.2.1->6.2.156.2.1->6.2.156.2.1->6.2.106.2.1->6.2.86.2.1->6.2.156.2.1->6.2.156.2.1->6.2.156.2.1->6.2.116.2.1->6.2.7Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2025-41242
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
An application can be vulnerable when all the following are true:
We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.
CVE-2025-41234
Description
In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.
Specifically, an application is vulnerable when all the following are true:
org.springframework.http.ContentDisposition.ContentDisposition.Builder#filename(String, Charset).An application is not vulnerable if any of the following is true:
org.springframework.http.ContentDisposition.ContentDisposition.Builder#filename(String), orContentDisposition.Builder#filename(String, ASCII)Affected Spring Products and VersionsSpring Framework
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
No further mitigation steps are necessary.
CVE-2025-41249
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature.
You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces.
This CVE is published in conjunction with CVE-2025-41248 https://spring.io/security/cve-2025-41248 .
CVE-2025-22233
CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.
Affected Spring Products and Versions
Spring Framework:
6.2.0 - 6.2.6
6.1.0 - 6.1.19
6.0.0 - 6.0.27
5.3.0 - 5.3.42
Older, unsupported versions are also affected
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
No further mitigation steps are necessary.
Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.
For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.
Credit
This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.
Release Notes
Jaspersoft/jasperreports (net.sf.jasperreports:jasperreports)
v6.21.5: JasperReports 6.21.5Compare Source
added support for horizontalPosition and shrinkWidth properties to table component and weight
property to table columns to better control table resize behavior when table columns are hidden or resized.
various dependencies upgrades including: Spring 6.2.3, Apache Batik 1.18,
Apache Commons Codec 1.18.0, Apache Commons IO 2.18.0, Apache Commons Logging 1.3.5,
Apache Log4J 2.24.3, Apache Commons Collections 4.5.0 and Apache POI 5.4.1;
minor bug fixes and improvements;
v6.21.4: JasperReports 6.21.4Compare Source
various dependencies upgrades including: Jackson 2.17.1, RequireJS 2.3.7, Apache POI 5.3.0
and Apache Xalan 2.7.3;
minor bug fixes and improvements;
v6.21.3Compare Source
allow background section elements to be exported as page header content in the DOCX exporter
so that watermark type effects could be achieved;
minor bug fixes and improvements;
v6.21.2Compare Source
v6.21.0Compare Source
added support for PDF/A-2a, PDF/A-2b, PDF/A-2u, PDF/A-3a, PDF/A-3b, PDF/A-3u;
added support for WEBP images;
minor bug fixes and improvements;
v6.20.6Compare Source
optional style expression added to report elements in addition to their existing static style
reference property to allow for more flexible and dynamic styling scenarios;
new IS_EVEN_ROW and IS_EVEN_COLUMN boolean built-in variables available in crosstabs to help
with alternate row/column styling of crosstab cells;
new custom configuration property net.sf.jasperreports.export.pptx.frame.as.table added to
control the rendering of table components as true PowerPoint table structures in PPTX exports;
added new data source implementation based on the Fastexcel Reader library to allow loading of
larger XLSX files without using too much heap memory (compared to existing POI-based implementation);
new custom property net.sf.jasperreports.cut.text.max.height available for text field elements
to limit the maximum height to which they can stretch to accommodate their larger text content
when textAdjust attribute is set to CutText value;
improved caching for clipped images and SVG drawings in the PDF exporter to help create smaller
size PDF files;
new number rounding functions available in report expressions;
minor bug fixes and improvements;
v6.20.5Compare Source
fix historical text measuring truncation by rounding up the AWT measured text height to the upper
integer value instead of truncating it to the lower integer value and thus causing the text elements
having dynamic height to be 1 pixel taller to avoid text being cut in PDF exports;
for minimum disruption in upgrades, the former text measuring behavior is still available through the
net.sf.jasperreports.legacy.text.measuring boolean configuration property that would need to be set to true;
performance improvements for the HTML and RTF text markup processors by replacing the JEditorPane based
implementations with faster EditorKit implementations and fixing some multi-threading issues;
support for CMYK color conversion for text and shapes in PDF export using ICC profiles
(excluding image color conversion);
support for unpatched versions of the OpenPDF library although this is not recommended for as long as
the following OpenPDF bug remains open: LibrePDF/OpenPDF#676
minor bug fixes and improvements;
v6.20.4Compare Source
v6.20.3Compare Source
v6.20.2Compare Source
added support for multiple marker series in the Google map component, with ability to show/hide
each series through an interactive legend and ability to bring the map to its initial visual state
using a custom reset button;
introducing expression backed custom properties at report part level to allow attaching metadata to
parts in multi-part documents, to be leveraged during report output post-processing by the parent application;
allowing the creation of multi-part documents from single part (section based) report templates
using a special custom property at report element level that triggers the creation of a separate part
for the current page when the property is met;
various dependencies upgrades including: Spring 5.3.26 and TestNG 7.7.0;
minor bug fixes and improvements;
v6.20.1Compare Source
XLSX metadata exporter added to produce pure data output in the modern Excel file format
(similar to pre-existing XLS and CSV metadata exporters);
optimizations and improvements made in the XLSX exporter to allow skipping time consuming
text measuring routines during the report filling process and produce the output document
faster when the Excel format is the main (if not the only) export target;
support for file encryption in the XLS, XLSX, DOCX and PPTX exporters;
marker clustering and marker spidering features added to the Google Map component;
allow specifying the split type in table component rows;
replaced iText 2.1.7 with OpenPDF 1.3.30 for PDF export;
various dependencies upgrades including: Apache Lucene 8.11.2, Bouncy Castle 1.71,
Jaxen 1.2.0, Apache POI 5.2.2, Apache Batik 1.16, Jackson 2.14.1 and Groovy 4.0.8;
the Apache Xalan dependency was taken out from the core library and moved into an optional
and deprecated extension module;
minor bug fixes and improvements;
eclipse-ee4j/jersey (org.glassfish.jersey.core:jersey-server)
v4.0.0Compare Source
v4.0.0-M4Compare Source
v4.0.0-M3Compare Source
mojohaus/build-helper-maven-plugin (org.codehaus.mojo:build-helper-maven-plugin)
v3.6.1Compare Source
📝 Documentation updates
👻 Maintenance
📦 Dependency updates
v3.6.0Compare Source
Changes
🚀 New features and improvements
📦 Dependency updates
👻 Maintenance
🔧 Build
v3.5.0Compare Source
Changes
🚀 New features and improvements
📦 Dependency updates
👻 Maintenance
v3.4.0Changes
🚀 New features and improvements
🐛 Bug Fixes
📦 Dependency updates
👻 Maintenance
swagger-api/swagger-core (io.swagger.core.v3:swagger-maven-plugin-jakarta)
v2.2.41: Swagger-core 2.2.41 released!Compare Source
Configuration
📅 Schedule: Branch creation - At 10:00 PM through 11:59 PM and 12:00 AM through 04:59 AM ( * 22-23,0-4 * * * ), Only on Sunday and Saturday ( * * * * 0,6 ) in timezone Canada/Pacific, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.