Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): bump org.apache.maven.plugins:maven-dependency-plugin from 3.5.0 to 3.8.0 in /jans-fido2 #9247

Closed
wants to merge 1 commit into from
Closed

chore(deps): bump org.apache.maven.plugins:maven-dependency-plugin from 3.5.0 to 3.8.0 in /jans-fido2 #9247

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Aug 22, 2024
edited
Loading

Bumps org.apache.maven.plugins:maven-dependency-plugin from 3.5.0 to 3.8.0.

Release notes

Sourced from org.apache.maven.plugins:maven-dependency-plugin's releases.

3.7.1

🐛 Bug Fixes

📦 Dependency updates

👻 Maintenance

3.7.0

🚀 New features and improvements

🐛 Bug Fixes

📦 Dependency updates

... (truncated)

Commits
  • 75814c7 [maven-release-plugin] prepare release maven-dependency-plugin-3.8.0
  • 50397c4 [MDEP-903] Upgrade to Doxia 2.0.0 Milestone Stack
  • 1115ecb Bump org.codehaus.plexus:plexus-archiver from 4.9.2 to 4.10.0
  • 5288cec Bump org.apache.maven.plugins:maven-plugins from 42 to 43
  • ea4d8e2 Bump jettyVersion from 9.4.54.v20240208 to 9.4.55.v20240627
  • 2d0b82a Bump org.codehaus.plexus:plexus-io from 3.4.2 to 3.5.0
  • 86b7772 (doc) Remove repeated word
  • 94e1caf Bump org.jsoup:jsoup from 1.17.2 to 1.18.1
  • 06b4273 Bump org.assertj:assertj-core from 3.26.0 to 3.26.3
  • 71cee33 Remove outdated invoker conditions
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot requested a review from yurem as a code owner August 22, 2024 11:05
@dependabot dependabot bot added java Pull requests that update Java code kind-dependencies Pull requests that update a dependency file labels Aug 22, 2024
@dependabot dependabot bot requested a review from yackermann as a code owner August 22, 2024 11:05
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Aug 22, 2024
edited
Loading

DryRun Security Summary

The provided code change updates the maven-dependency-plugin version in the pom.xml file of the jans-fido2 project from 3.5.0 to 3.8.0, which is a routine maintenance task that does not introduce any immediate security concerns, but it's important to ensure that the new version of the plugin does not contain any known security vulnerabilities.

Expand for full summary

Summary:

The provided code change is an update to the maven-dependency-plugin version in the pom.xml file of the jans-fido2 project. Specifically, the version is being updated from 3.5.0 to 3.8.0. From an application security perspective, this change is not particularly interesting, as the maven-dependency-plugin is a build tool plugin used to manage project dependencies, and updating the version of this plugin is a routine maintenance task. As long as the new version does not introduce any known security vulnerabilities, this change should not have a significant impact on the application's security.

However, it's important to note that the pom.xml file contains various other configuration settings, such as project metadata, dependency management, and plugin management. While these settings are not directly related to application security, it's important to review them periodically to ensure that the project is configured correctly and that the dependencies are up-to-date and secure.

Files Changed:

  • jans-fido2/pom.xml: This file has been updated to use version 3.8.0 of the maven-dependency-plugin, which is a routine maintenance task. The change does not introduce any immediate security concerns, but it's important to ensure that the new version of the plugin does not contain any known security vulnerabilities.

Code Analysis

We ran 9 analyzers against 1 file and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@dependabot dependabot bot force-pushed the dependabot/maven/jans-fido2/org.apache.maven.plugins-maven-dependency-plugin-3.8.0 branch from ffcf85c to 2e40f78 Compare September 16, 2024 11:41
@dependabot
chore(deps): bump org.apache.maven.plugins:maven-dependency-plugin
209d7e1 
Bumps [org.apache.maven.plugins:maven-dependency-plugin](https://github.com/apache/maven-dependency-plugin) from 3.5.0 to 3.8.0.
- [Release notes](https://github.com/apache/maven-dependency-plugin/releases)
- [Commits](apache/maven-dependency-plugin@maven-dependency-plugin-3.5.0...maven-dependency-plugin-3.8.0)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-dependency-plugin
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/maven/jans-fido2/org.apache.maven.plugins-maven-dependency-plugin-3.8.0 branch from 2e40f78 to 209d7e1 Compare September 17, 2024 14:06
@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Oct 28, 2024

Superseded by #9959.

@dependabot dependabot bot closed this Oct 28, 2024
@dependabot dependabot bot deleted the dependabot/maven/jans-fido2/org.apache.maven.plugins-maven-dependency-plugin-3.8.0 branch October 28, 2024 10:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yurem yurem Awaiting requested review from yurem yurem is a code owner

@yackermann yackermann Awaiting requested review from yackermann yackermann is a code owner

Assignees
No one assigned
Labels
java Pull requests that update Java code kind-dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants