fix(deps): clear all 12 known CVEs from the 2026-04-17 baseline#50
Merged
Conversation
Bumps every dependency flagged by the OSV-Scanner + Dependabot pass to
its fixed version. Re-running OSV after this commit: 0 findings.
Maven (all transitive, overridden via pom properties and
dependencyManagement — nothing to change in our direct dep list):
tomcat-embed-core 11.0.20 -> 11.0.21 (tomcat.version property)
CVE-2026-34483 HIGH: JsonAccessLogValve improper encoding
CVE-2026-34487 HIGH: sensitive info insertion into log file
CVE-2026-34500 MOD : CLIENT_CERT auth does not fail as expected
tools.jackson.core:* 3.1.0 -> 3.1.1 (explicit management entries)
GHSA-2m67-wjpj-xhg9 HIGH: document length bypass in blocking/async/
DataInput parsers
log4j-core 2.25.3 -> 2.25.4 (explicit management entry)
CVE-2026-34477 MOD : verifyHostName silently ignored in TLS config
CVE-2026-34478 MOD : log injection in Rfc5424Layout
CVE-2026-34480 MOD : silent log-event loss in XmlLayout
log4j-layout-template-json 2.25.3 -> 2.25.4
CVE-2026-34481 MOD : improper serialization of non-finite floats
shiro-core 2.0.6 -> 2.1.0
CVE-2026-23901 LOW : observable timing discrepancy
(pulled in by neo4j-security)
mcp-core 1.1.0 -> 1.1.1
CVE-2026-34237 MOD : hardcoded wildcard CORS on MCP endpoints.
Load-bearing for us — our read-only MCP API should not accept
cross-origin requests from arbitrary origins.
npm (direct dev dependency):
vite 6.4.1 -> 6.4.2 (src/main/frontend/)
CVE-2026-39363 HIGH: arbitrary file read via dev server WebSocket
CVE-2026-39365 MOD : path traversal in optimized deps .map handling
Dev-only (build tool) — blast radius is the developer machine.
Note on Jackson: Spring Boot 4.0.5's `<jackson.version>` property pins
only the new-API artifacts (tools.jackson.core:*) — Spring Boot does
not propagate it to them, so the property override by itself is a
no-op. Explicit <dependencyManagement> entries for jackson-core /
-databind / -annotations are required until the Boot BOM catches up.
Revert hints are captured in the pom's comment blocks so when Spring
Boot 4.0.6+ / the Spring-AI BOM / Neo4j 2026.02.4 ship with these
versions naturally, these overrides can go away.
Verified:
mvn test -> 3,059 tests, 0 failures, 0 errors
osv-scanner -> 0 findings (was 12: 4 HIGH / 7 MOD / 1 LOW)
dependency:tree -> all 6 Maven and 1 npm versions match fix targets
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (2)
📝 WalkthroughWalkthroughMaven property definitions and transitive dependency management overrides were added to pin versions for Tomcat (11.0.21), Jackson 3.x components (3.1.1), Log4j (2.25.4), Apache Shiro (2.1.0), and MCP SDK (1.1.1). Frontend build tool Vite was updated from ^6.1.0 to ^6.4.2, with package ordering adjusted. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
This was referenced Apr 23, 2026
aksOps
added a commit
that referenced
this pull request
Apr 23, 2026
…ner (#50) (#55) Replace full @SpringBootTest bootstrap with ApplicationContextRunner that loads only UnifiedConfigBeans + ProjectConfigLoader. All 4 tests pass in under a second vs. multi-second full-context startup, same correctness guarantee for the config-wiring surface. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps every dependency flagged by the OSV-Scanner + Dependabot pass to
its fixed version. Re-running OSV after this commit: 0 findings.
Maven (all transitive, overridden via pom properties and
dependencyManagement — nothing to change in our direct dep list):
tomcat-embed-core 11.0.20 -> 11.0.21 (tomcat.version property)
CVE-2026-34483 HIGH: JsonAccessLogValve improper encoding
CVE-2026-34487 HIGH: sensitive info insertion into log file
CVE-2026-34500 MOD : CLIENT_CERT auth does not fail as expected
tools.jackson.core:* 3.1.0 -> 3.1.1 (explicit management entries)
GHSA-2m67-wjpj-xhg9 HIGH: document length bypass in blocking/async/
DataInput parsers
log4j-core 2.25.3 -> 2.25.4 (explicit management entry)
CVE-2026-34477 MOD : verifyHostName silently ignored in TLS config
CVE-2026-34478 MOD : log injection in Rfc5424Layout
CVE-2026-34480 MOD : silent log-event loss in XmlLayout
log4j-layout-template-json 2.25.3 -> 2.25.4
CVE-2026-34481 MOD : improper serialization of non-finite floats
shiro-core 2.0.6 -> 2.1.0
CVE-2026-23901 LOW : observable timing discrepancy
(pulled in by neo4j-security)
mcp-core 1.1.0 -> 1.1.1
CVE-2026-34237 MOD : hardcoded wildcard CORS on MCP endpoints.
Load-bearing for us — our read-only MCP API should not accept
cross-origin requests from arbitrary origins.
npm (direct dev dependency):
vite 6.4.1 -> 6.4.2 (src/main/frontend/)
CVE-2026-39363 HIGH: arbitrary file read via dev server WebSocket
CVE-2026-39365 MOD : path traversal in optimized deps .map handling
Dev-only (build tool) — blast radius is the developer machine.
Note on Jackson: Spring Boot 4.0.5's
<jackson.version>property pinsonly the new-API artifacts (tools.jackson.core:*) — Spring Boot does
not propagate it to them, so the property override by itself is a
no-op. Explicit entries for jackson-core /
-databind / -annotations are required until the Boot BOM catches up.
Revert hints are captured in the pom's comment blocks so when Spring
Boot 4.0.6+ / the Spring-AI BOM / Neo4j 2026.02.4 ship with these
versions naturally, these overrides can go away.
Verified:
mvn test -> 3,059 tests, 0 failures, 0 errors
osv-scanner -> 0 findings (was 12: 4 HIGH / 7 MOD / 1 LOW)
dependency:tree -> all 6 Maven and 1 npm versions match fix targets
Summary by CodeRabbit
Release Notes