Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(sec): upgrade io.netty:netty-codec-http to 4.1.86.final #1360

Merged
merged 3 commits into from
Dec 15, 2023
Merged

fix(sec): upgrade io.netty:netty-codec-http to 4.1.86.final #1360

merged 3 commits into from
Dec 15, 2023

Conversation

1derian
Copy link
Contributor

@1derian 1derian commented Jan 30, 2023

What happened?

There are 1 security vulnerabilities found in io.netty:netty-codec-http 4.1.71.Final

What did I do?

Upgrade io.netty:netty-codec-http from 4.1.71.Final to 4.1.86.final for vulnerability fix

What did you expect to happen?

Ideally, no insecure libs should be used.

The specification of the pull request

PR Specification from OSCS

@jcchavezs jcchavezs requested a review from shakuzen February 21, 2023 13:42
shakuzen
shakuzen requested changes Feb 21, 2023
View reviewed changes
Copy link
Member

@shakuzen shakuzen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The build is failing because the license header check. Try running ./mvnw com.mycila:license-maven-plugin:format to fix it. We'll want to see our tests pass with the dependency upgrade.

pom.xml Outdated
@@ -114,7 +114,7 @@
<grpc.version>1.34.1</grpc.version>
<protobuf.version>3.12.0</protobuf.version>
<!-- prefer grpc's version of netty -->
<netty.version>4.1.71.Final</netty.version>
<netty.version>4.1.86.final</netty.version>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment above this leads me to believe we might run into issues if we do not also upgrade the version of grpc.

@jcchavezs
Copy link
Contributor

Any movement here?

@codefromthecrypt
Copy link
Member

I corrected the alignment rather than nag

@codefromthecrypt codefromthecrypt force-pushed the oscs_fix_cfbn36gau51u2n4fth60 branch from 6da6cf2 to 351750e Compare December 15, 2023 10:52
@codefromthecrypt codefromthecrypt merged commit 5a7175e into openzipkin:master Dec 15, 2023
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shakuzen shakuzen shakuzen requested changes

@codefromthecrypt codefromthecrypt codefromthecrypt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@1derian @jcchavezs @codefromthecrypt @shakuzen