Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update deps #2385

Closed
2 tasks done
robotdan opened this issue Jul 25, 2023 · 2 comments
Closed
2 tasks done

Update deps #2385

robotdan opened this issue Jul 25, 2023 · 2 comments
Assignees
@robotdan
Labels
internals Non-functional nerdy boring stuff
Projects
FusionAuth Issues
Milestone
1.48.0

Comments

@robotdan
Copy link
Member

robotdan commented Jul 25, 2023
edited

Update deps

Description

Update various dependencies.

  • google-guice 5.1.0 to 6.0.0
  • google-guava 30.1.0 to 32.1.2
  • java-http 0.2.0 to 0.2.9
  • kafka-clients 2.8.2 to 3.6.0
  • prime-mvc 4.11.0 to 4.17.1
  • snappy-java 1.1.8.1 to 1.1.10.4

List the versions here once we know what they are.

Related CVEs

Review available list of CVEs related to 3rd party deps, while not necessarily vulnerable, updating these deps will remove the CVEs from scanners.

FusionAuth has no known vulnerabilities related to the above mentioned CVEs.

Tasks

  • Final review for dependency changes (scan class path, docker image, etc)
  • Complete description for any dependency changes to and from version

Related

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Release Notes

Update 3rd party dependencies to remove CVE scan warnings. No known exploits are vulnerabilities exist in FusionAuth as the result of using these 3rd party clients. These upgrades are simply a precautionary measure to stay current.
** Upgrade google-guice 5.1.0 to 6.0.0
** Upgrade google-guava 30.1.0 to 32.1.2
** Upgrade java-http 0.2.0 to 0.2.9
** Upgrade kafka-clients 2.8.2 to 3.6.0
** Upgrade prime-mvc 4.11.0 to 4.17.1
** Upgrade snappy-java 1.1.8.1 to 1.1.10.4
@robotdan robotdan self-assigned this Jul 25, 2023
@robotdan robotdan added this to Backlog in FusionAuth Issues via automation Jul 25, 2023
@robotdan robotdan added the internals Non-functional nerdy boring stuff label Jul 25, 2023
@robotdan robotdan added this to the 1.48.0 milestone Jul 25, 2023
@robotdan
Copy link
Member Author

robotdan commented Aug 4, 2023
edited

Internal:

@robotdan robotdan moved this from Backlog to Code complete in FusionAuth Issues Aug 4, 2023
@robotdan robotdan mentioned this issue Aug 4, 2023
Closed
5 tasks
@robotdan robotdan moved this from Code complete to Reviewer approved in FusionAuth Issues Aug 4, 2023
@robotdan
Copy link
Member Author

robotdan commented Oct 8, 2023

We could optionally upgrade to Guice 7 I think now that MyBatis has been updated. But we'd need to test to see if there are any other libraries that still have not moved to jarkarta.
mybatis/guice#576

@robotdan robotdan moved this from Reviewer approved to Code complete in FusionAuth Issues Oct 11, 2023
@robotdan robotdan removed the security label Oct 20, 2023
@robotdan robotdan mentioned this issue Oct 28, 2023
Closed
6 tasks
@robotdan robotdan moved this from Code complete to Delivered in FusionAuth Issues Oct 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@robotdan robotdan

Labels
internals Non-functional nerdy boring stuff
Projects
FusionAuth Issues
  
Delivered
Milestone
1.48.0
Development

No branches or pull requests
1 participant
@robotdan