fix(deps): patch osv-scan dependency vulnerabilities#110
Open
seonghobae wants to merge 1 commit into
Open
Conversation
Resolve OSV-confirmed dependency vulnerabilities in pom.xml so osv-scan passes across clearfolio PRs. Verified via `mvn dependency:tree` (BUILD SUCCESS) since osv-scanner itself 429s on Maven Central during parent/BOM resolution and cannot resolve transitive versions. Changes: - Bump spring-boot-starter-parent 3.5.0 -> 3.5.14 (fixes spring-boot CVE-2026-40973; raises managed floors for logback/reactor-netty/assertj/ base spring-framework/jackson/netty). - Remove unused org.apache.tika:tika-parsers-standard-package 3.2.2 (zero source usage). Eliminates the only CRITICAL, bcprov-jdk18on CVE-2025-14813, plus bcpkix-jdk18on, commons-io 2.7, commons-lang3 3.17.0, and junrar 7.5.5 findings — 7 CVEs and a large parser attack surface. - Override three spring-boot-dependencies BOM properties to force transitive floors: netty.version=4.1.135.Final -> clears all 18 netty CVEs jackson-bom.version=2.21.4 -> clears jackson-databind CVE-2026-54512/54513/54514 and jackson-core GHSA-72hv-8253-57qq spring-framework.version=6.2.18 -> clears spring-core CVE-2025-41249, spring-web CVE-2025-41234, and spring-webflux CVEs Verified (mvn dependency:tree): no tika/bouncycastle/junrar/commons-io:2.7 remain; every io.netty:* is 4.1.135.Final; jackson-databind 2.21.4; spring-core/web/webflux 6.2.18; spring-boot 3.5.14. `mvn -DskipTests compile` succeeds. Residual: jackson-databind CVE-2026-54515 (MODERATE) has no published fix for the 2.19+ line — accept/suppress and track upstream. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_017RkKdtHRLG4wSLh6PVsp8J
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Patches OSV-confirmed dependency vulnerabilities in
pom.xmlsoosv-scanpasses across clearfolio PRs. Minimal, idiomatic Spring Boot fix: bump the parent, drop an unused heavy dependency, and override three BOM version properties — no<dependencyManagement>block needed.Confirmed CVEs cleared
Remove unused Tika (
tika-parsers-standard-package3.2.2 — zero source usage) — 7 CVEs, incl. the only CRITICAL:Bump
spring-boot-starter-parent3.5.0 → 3.5.14:Override BOM properties to force transitive floors:
netty.version=4.1.135.Final— clears all 18 netty CVEs (reachable via the live webflux/reactor-netty HTTP server — the largest real exposure)jackson-bom.version=2.21.4— jackson-databind CVE-2026-54512 / 54513 / 54514, jackson-core GHSA-72hv-8253-57qq (jackson-databind is a direct dep, used inApiErrorResponse.java)spring-framework.version=6.2.18— spring-core CVE-2025-41249, spring-web CVE-2025-41234, spring-webflux CVEsVerification
mvn -DskipTests compilesucceeds.mvn dependency:treeconfirms:org.apache.tika/org.bouncycastle/junrar/commons-io:2.7artifacts remainio.netty:*module is4.1.135.Finaljackson-databindis2.21.4spring-core/spring-web/spring-webfluxare6.2.18spring-bootis3.5.14osv-scannerwas rate-limited (HTTP 429) resolving the parent POM from Maven Central, so the authoritative transitive-version verification is themvn dependency:treeabove (BUILD SUCCESS).Residual (cannot fix)
🤖 Generated with Claude Code