Timeline for jHipster v8 / Spring 6 Upgrade #20748
Milestone
Comments
|
@jazonmiller Well, the Spring team explained a lot in this issue that it's a false positive for most apps as long they don't use HttpInvoker. So, is there anything that's prevents you from suppressing this as a false positive from your tool? Personally, this is what I did for my apps after having proved that HttpInvoker was never instantiated. And if you really want to start with Spring 6, nothing prevents you from using JHipster 8 from main branch. |
atomfrede
added
area: question ❓
theme: java
and removed
area: triage
theme: undefined
labels
|
This issue is stale because it has been open for too long without any activity. |
|
Follow #23449 for 8.0 updates. I'm closing this issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Overview of the feature request
Is there a timeline for the jHipster v8 release, and is it still planned to upgrade to Spring 6 as part of that release?
Motivation for or Use Case
Our team uses Prisma Cloud to scan all containers as part of our CI/CD pipeline and blocks deployments with High and Critical findings. We recently started receiving Prisma findings for CVE-2016-1000027, https://nvd.nist.gov/vuln/detail/CVE-2016-1000027. This is a finding in org.springframework.spring-web that has existed since 2016 but was previously not prioritized at the time of creation so it never showed up on any previous scans. In order to address the finding, it would cause a breaking change to the framework so Spring has no plans to address the issue in any of the maintained versions, but they have removed the code from the latest 6.x release. Since upgrading to Spring 6 is a major change, we would prefer to utilize the jhipster upgrade process instead of making manual changes.
I saw the previous PR for upgrading to Springboot 3 as part of v8 release was closed. #19782
Related issues or PR
The text was updated successfully, but these errors were encountered: