fix(deps): address worlds-api jackson + netty vulnerabilities (java-client)#193
Merged
Jeremy Bensley (jbensley) merged 2 commits intoJun 25, 2026
Conversation
Bumps the maven group with 1 update in the /java-client directory: [tools.jackson.core:jackson-databind](https://github.com/FasterXML/jackson). Updates `tools.jackson.core:jackson-databind` from 3.1.2 to 3.1.4 - [Commits](https://github.com/FasterXML/jackson/commits) --- updated-dependencies: - dependency-name: tools.jackson.core:jackson-databind dependency-version: 3.1.4 dependency-type: direct:production dependency-group: maven ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Folds the outstanding netty security fixes into this PR alongside the jackson-databind 3.1.4 bump. The existing 4.2.13.Final override no longer covers the newer high/medium Dependabot alerts (fixed in 4.2.15.Final) across netty-handler, netty-resolver-dns, netty-codec-http/http2/http3, netty-codec-classes-quic, and netty-transport-native-epoll. reactor-netty-http 1.3.5 still ships netty 4.2.12.Final; remove the override when it ships >= 4.2.15.Final. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Jeremy Bensley (jbensley)
changed the title
Jeremy Bensley (jbensley)
approved these changes
Jun 25, 2026
Jeremy Bensley (jbensley)
left a comment
Jeremy Bensley (jbensley)
left a comment
Collaborator
There was a problem hiding this comment.
All worlds-api alerts addressed (jackson 3.1.4, netty 4.2.15.Final); CI green (build, codeql, analyze).
Jeremy Bensley (jbensley)
deleted the
dependabot/maven/java-client/maven-0073d86268
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses all open worlds-api Dependabot alerts, both in
java-client/pom.xml:tools.jackson.core:jackson-databindio.netty:netty-bom(override)Netty is pulled transitively via
reactor-netty-http 1.3.5(ships 4.2.12.Final); the existing 4.2.13.Final override no longer covers the newer alerts, so it's bumped to 4.2.15.Final. Thejava(server) module pulls no netty, so the fix is java-client only.Testing
mvn clean compilesucceeds;mvn dependency:treeconfirms allio.netty:*artifacts resolve to 4.2.15.Final and jackson-databind to 3.1.4.Jira: N/A (Dependabot security update)