Update reactor-netty-http to 1.1.13

[banno-diy-steward]

About this PR

📦 Updates io.projectreactor.netty:reactor-netty-http from 1.0.39 to 1.1.13

📜 GitHub Release Notes - Version Diff

Usage

✅ Please merge!

I'll automatically update this PR to resolve conflicts as long as you don't change it yourself.

If you'd like to skip this version, you can just close this PR. If you have any feedback, just mention me in the comments below.

Configure Scala Steward for your repository with a .scala-steward.conf file.

Have a fantastic day writing Scala!

⚙ Adjust future updates

Add this to your .scala-steward.conf file to ignore future updates of this dependency:

updates.ignore = [ { groupId = "io.projectreactor.netty", artifactId = "reactor-netty-http" } ]

Or, add this to slow down future updates of this dependency:

dependencyOverrides = [{
  pullRequests = { frequency = "30 days" },
  dependency = { groupId = "io.projectreactor.netty", artifactId = "reactor-netty-http" }
}]

^{labels: library-update, early-semver-minor, semver-spec-minor, commit-count:1}

[rossabaker]

This is probably okay (tests pass, semver lines up), but only surfaced by my ill-fated attempt to squelch an irrelevant Dependabot finding in #263.

[samspills]

I've put up #265 to remove the dependency instead of updating it. I'm good with either approach, with a slight bias to removing it for now since it's not really necessary

[rossabaker]

Does another dependency transitively pull in a safe version? I haven't done the legwork. I prefer #265 if Dependabot likes it.

[samspills]

Oh I thought the requirement of a particular "safe" version wasn't necessary b/c the dependabot alert had to be closed anyway. Maybe I misunderstood though

[rossabaker]

Oh, no, you're right. I thought it was some long-established override and didn't connect the dots to my own comment three days ago. These things become a blur once there are enough of them...

[rossabaker]

And after that discussion ... there's a new one on the same dependency.

[samspills]

lol okay, let's just merge this one then 😆

[rossabaker]

For whatever reason, it still didn't work to close the alert. There's some nuance I've missed.

[samspills]

This feels like a problem with the security alert? The spring page is pretty clear that 1.1.13 is fixed: https://spring.io/security/cve-2023-34054

[rossabaker]

When I pulled the report on the prior PR, both a vulnerable version and the latest version were being submitted to GitHub. This library is transitive via another dependency, but ... we do that all the time! I couldn't quickly figure out what was different here.

[rossabaker]

What's different is typelevel/sbt-typelevel#671. The config in sbt-typelevel differs from most of our internal projects. The vulnerable dependency is being reported in compile scope.