Skip to content

[Snyk] Fix for 10 vulnerabilities#29

Merged
kburger merged 1 commit intomasterfrom
snyk-fix-6887aad0ab65fcd637e5d06cfc37f4c2
Apr 30, 2026
Merged

[Snyk] Fix for 10 vulnerabilities#29
kburger merged 1 commit intomasterfrom
snyk-fix-6887aad0ab65fcd637e5d06cfc37f4c2

Conversation

@kburger
Copy link
Copy Markdown
Contributor

@kburger kburger commented Apr 28, 2026

snyk-top-banner

Snyk has created this PR to fix 10 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

  • pom.xml

Vulnerabilities that will be fixed with an upgrade:

Issue Score Upgrade
high severity Uncontrolled Recursion
SNYK-JAVA-ORGAPACHECOMMONS-10734078		   145   org.apache.poi:poi-ooxml:
5.4.0 -> 5.5.0
No Known Exploit
high severity Allocation of Resources Without Limits or Throttling
SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551		   125   No Known Exploit
high severity Stack-based Buffer Overflow
SNYK-JAVA-COMFASTERXMLJACKSONCORE-10500754		   124   No Known Exploit
high severity Insecure Temporary File
SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-16198880		   117   org.springframework.boot:spring-boot-starter:
3.5.0 -> 3.5.14
No Known Exploit
high severity Denial of Service (DoS)
SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538		   115   No Known Exploit
medium severity Symlink Attack
SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-16201011		   80   org.springframework.boot:spring-boot-starter:
3.5.0 -> 3.5.14
No Known Exploit
medium severity Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-16191649		   77   org.springframework.boot:spring-boot-starter:
3.5.0 -> 3.5.14
No Known Exploit
low severity External Initialization of Trusted Variables or Data Stores
SNYK-JAVA-CHQOSLOGBACK-15062482		   71   ch.qos.logback:logback-core:
1.5.19 -> 1.5.25
ch.qos.logback:logback-classic:
1.5.18 -> 1.5.25
No Known Exploit
low severity Improper Validation of Certificate with Host Mismatch
SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-16191022		   68   org.springframework.boot:spring-boot-starter:
3.5.0 -> 3.5.14
No Known Exploit
low severity Improper Validation of Certificate with Host Mismatch
SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-16200231		   68   org.springframework.boot:spring-boot-starter:
3.5.0 -> 3.5.14
No Known Exploit

Breaking Change Risk

Merge Risk: Medium

Notice: This assessment is enhanced by AI.

Vulnerabilities that could not be fixed

  • Upgrade:
    • Could not upgrade org.eclipse.rdf4j:rdf4j-repository-sail@5.1.3 to org.eclipse.rdf4j:rdf4j-repository-sail@5.3.0; Reason could not apply upgrade, dependency is managed externally ; Location: provenance does not contain location
  • Could not upgrade com.fasterxml.jackson.core:jackson-core@2.13.5 to com.fasterxml.jackson.core:jackson-core@2.21.2; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/com/fasterxml/jackson/jackson-bom/2.13.5/jackson-bom-2.13.5.pom
  • Could not upgrade com.fasterxml.jackson.core:jackson-databind@2.13.5 to com.fasterxml.jackson.core:jackson-databind@2.21.2; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/com/fasterxml/jackson/jackson-bom/2.13.5/jackson-bom-2.13.5.pom
  • Could not upgrade com.fasterxml.jackson.dataformat:jackson-dataformat-yaml@2.13.5 to com.fasterxml.jackson.dataformat:jackson-dataformat-yaml@2.21.2; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/com/fasterxml/jackson/jackson-bom/2.13.5/jackson-bom-2.13.5.pom

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling
🦉 Denial of Service (DoS)
🦉 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
🦉 More lessons are available in Snyk Learn

@kburger
Copy link
Copy Markdown
Contributor Author

kburger commented Apr 28, 2026

Merge Risk: Medium

This release includes several dependency upgrades, with the most significant being the update to the Jackson libraries. The overall risk is assessed as medium due to potential behavioral changes in Jackson that require verification.

Top 3 Most Impactful Upgrades:

  • com.fasterxml.jackson (core/databind/dataformat-yaml) 2.13.5 → 2.21.2 (Medium Risk)
    This is a significant minor version jump. While there are no major API removals, developers should be aware of several behavioral changes:

    • @JsonIgnore Precedence: As of version 2.14, @JsonIgnore now has priority over @JsonProperty in cases of conflicting annotations, which reverses the previous behavior.
    • JsonNode.with() Behavior Change: The with() and withArray() methods in JsonNode now interpret parameters with a leading slash (/) as JSON Pointer expressions.
    • Platform Requirements: The minimum required Java version for jackson-core is now 8, and the minimum Android SDK is 26 (starting from version 2.14).
    • Kotlin Module: Users of the Kotlin module should note that the deprecated MissingKotlinParameterException and the old StrictNullChecks backend have been removed in version 2.21.

  • org.eclipse.rdf4j:rdf4j-repository-sail 5.1.3 → 5.3.0 (Low Risk)
    This upgrade introduces new features and performance improvements. The release notes for versions 5.2.0 and 5.3.0 do not indicate any breaking API changes. Key additions include enhanced query observability and a new Spring Boot distribution. The Solr Sail has been deprecated but will be removed in a future major version.

  • org.apache.poi:poi-ooxml 5.4.0 → 5.5.0 (Low Risk)
    This minor upgrade primarily consists of dependency updates. There are no documented breaking API or behavioral changes for projects consuming the library via Maven.

Other Upgrades:

The remaining upgrades are patch versions and are considered low risk, containing bug fixes and minor improvements:

  • org.springframework.boot:spring-boot-starter 3.5.0 → 3.5.14 (low)
  • ch.qos.logback:logback-core 1.5.19 → 1.5.25 (low)
  • ch.qos.logback:logback-classic 1.5.18 → 1.5.25 (low)

Recommendation: Developers should review their use of Jackson annotations and JsonNode methods to ensure compatibility with the new behaviors. Testing is recommended to validate that serialization and deserialization logic continues to function as expected.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 30, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@kburger kburger requested a review from SeanBerrieHRI April 30, 2026 09:06
@kburger kburger merged commit 38905f3 into master Apr 30, 2026
7 of 17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SeanBerrieHRI SeanBerrieHRI SeanBerrieHRI approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kburger @SeanBerrieHRI @snyk-bot