search

billmcchesney1 / foxtrot

A store abstraction and analytics system for real-time event data.
Apache License 2.0
0 stars 0 forks source link

Update dependency io.dropwizard:dropwizard-core to v1.3.27 - autoclosed #408

Closed mend-for-github-com[bot] closed 7 months ago

mend-for-github-com[bot] commented 8 months ago

This PR contains the following updates:

Package Type Update Change
io.dropwizard:dropwizard-core compile patch 1.3.13 -> 1.3.27

By merging this PR, the below issues will be automatically resolved and closed:

Severity CVSS Score CVE GitHub Issue
Critical 9.8 CVE-2022-1471 #362
High 7.5 CVE-2017-18640 #85
High 7.5 CVE-2021-28165 #296
High 7.5 CVE-2022-25857 #348

By merging this PR, the below issues will be automatically resolved and closed:

Severity CVSS Score CVE GitHub Issue
High 7.5 CVE-2023-36478 #403

By merging this PR, the below issues will be automatically resolved and closed:

Severity CVSS Score CVE GitHub Issue
High 7.0 CVE-2020-27216 #187

Release Notes

dropwizard/dropwizard ### [`v1.3.27`](https://togithub.com/dropwizard/dropwizard/releases/tag/v1.3.27) [Compare Source](https://togithub.com/dropwizard/dropwizard/compare/v1.3.26...v1.3.27) ##### Improvements - Remove obsolete `NonblockingServletHolder` ([#​3527](https://togithub.com/dropwizard/dropwizard/issues/3527)) - `NonblockingServletHolder` is now deprecated and will be removed in Dropwizard 2.1.x. ##### Security - Bump jetty.version from 9.4.32.v20200930 to 9.4.33.v20201020 ([#​3522](https://togithub.com/dropwizard/dropwizard/issues/3522)) - This is addressing https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6 (CVE-2020-27216) ##### Dependency updates - Bump joda-time from 2.10.7 to 2.10.8 ([#​3525](https://togithub.com/dropwizard/dropwizard/issues/3525)) - Bump jetty.version from 9.4.32.v20200930 to 9.4.33.v20201020 ([#​3522](https://togithub.com/dropwizard/dropwizard/issues/3522)) - Bump assertj-core from 3.17.2 to 3.18.0 ([#​3524](https://togithub.com/dropwizard/dropwizard/issues/3524)) ### [`v1.3.26`](https://togithub.com/dropwizard/dropwizard/releases/tag/v1.3.26) [Compare Source](https://togithub.com/dropwizard/dropwizard/compare/v1.3.25...v1.3.26) #### Improvements - Swallow `EofException` when response was incomplete ([#​3382](https://togithub.com/dropwizard/dropwizard/issues/3382)) #### Bug fixes - Reset Jersey client in tests ([#​3453](https://togithub.com/dropwizard/dropwizard/issues/3453)) #### Dependency updates - Bump Mustache Java compiler from 0.9.6 to 0.9.7 ([#​3508](https://togithub.com/dropwizard/dropwizard/issues/3508)) - Bump guava from 24.1.1-jre to 30.0-jre ([#​3509](https://togithub.com/dropwizard/dropwizard/issues/3509)) - Bump httpclient from 4.5.12 to 4.5.13 ([#​3516](https://togithub.com/dropwizard/dropwizard/issues/3516)) - Bump jdbi3-bom from 3.14.3 to 3.17.0 ([#​3510](https://togithub.com/dropwizard/dropwizard/issues/3510)) - Bump jetty.version from 9.4.31.v20200723 to 9.4.32.v20200930 ([#​3478](https://togithub.com/dropwizard/dropwizard/issues/3478)) - Bump joda-time from 2.10.6 to 2.10.7 ([#​3519](https://togithub.com/dropwizard/dropwizard/issues/3519)) - Bump metrics-bom from 4.1.12.1 to 4.1.14 ([#​3520](https://togithub.com/dropwizard/dropwizard/issues/3520)) - Bump tomcat-jdbc from 9.0.37 to 9.0.39 ([#​3495](https://togithub.com/dropwizard/dropwizard/issues/3495)) - Upgrade to Liquibase 3.10.3 - Bump assertj-core from 3.16.1 to 3.17.2 ([#​3448](https://togithub.com/dropwizard/dropwizard/issues/3448)) - Bump junit from 4.12 to 4.13.1 ([joschi/dropwizard-1.3#​24](https://togithub.com/joschi/dropwizard-1.3/issues/24), [joschi/dropwizard-1.3#​25](https://togithub.com/joschi/dropwizard-1.3/issues/25)) - Bump mockito.version from 3.4.6 to 3.5.15 ([#​3513](https://togithub.com/dropwizard/dropwizard/issues/3513)) - Bump maven-project-info-reports-plugin from 3.1.0 to 3.1.1 ([joschi/dropwizard-1.3#​29](https://togithub.com/joschi/dropwizard-1.3/issues/29)) - Bump octokit from 4.18.0 to 4.19.0 in /docs ([#​3518](https://togithub.com/dropwizard/dropwizard/issues/3518)) - Enforce checker-qual 3.7.0 for dependency convergence ### [`v1.3.25`](https://togithub.com/dropwizard/dropwizard/releases/tag/v1.3.25) [Compare Source](https://togithub.com/dropwizard/dropwizard/compare/v1.3.24...v1.3.25) ##### Changes since Dropwizard 1.3.25-beta.2 ##### Dependency updates - Upgrade to Jackson 2.9.10.20200824 ([#​3433](https://togithub.com/dropwizard/dropwizard/issues/3433)) ##### Changes since Dropwizard 1.3.24 ##### Improvements - Remove alpn-boot dependency in dropwizard-http2 for Java 8u252 ([#​3256](https://togithub.com/dropwizard/dropwizard/issues/3256)) - Extend from AbstractHandlerContainer instead of AbstractHandler ([#​2460](https://togithub.com/dropwizard/dropwizard/issues/2460)) - Add JAXB API to dropwizard-jersey (Java 11) - Use SslContextFactory.Server over deprecated SslContextFactory ([#​3411](https://togithub.com/dropwizard/dropwizard/issues/3411)) ##### Dependency updates - Upgrade to Jetty 9.4.31.v20200723 - Upgrade to jetty-setuid-java 1.0.4 - Upgrade to Liquibase 3.10.2 - Upgrade to Joda-Time 2.10.6 - Upgrade to Jdbi 3.14.3 - Upgrade to SLF4J 1.7.30 - Upgrade to Apache Tomcat JDBC Pool 9.0.37 - Upgrade to Apache HttpClient 4.5.12 - Upgrade to commons-text 1.9 - Upgrade to commons-lang3 3.11 - Upgrade to Metrics 4.1.12.1 - Upgrade to Freemarker 2.3.30 - Upgrade to Objenesis 3.1 - Upgrade to Javassist 3.27.0-GA - Upgrade to Classmate 1.5.1 ##### Test dependencies - Upgrade to HSQLDB 2.5.1 - Upgrade to JUnit 5.6.2 - Upgrade to Mockito 3.4.6 - Upgrade to AssertJ 3.16.1 - Upgrade to Error Prone 2.3.4 - Upgrade to NullAway 0.7.10 ##### Build dependencies - Update wrapper to Maven 3.6.3 - Bump octokit from 4.8.0 to 4.18.0 in /docs ([#​23](https://togithub.com/dropwizard/dropwizard/issues/23)) - Upgrade to sphinx-maven-plugin 2.9.0 - Upgrade to maven-source-plugin 3.2.1 - Upgrade to maven-site-plugin 3.9.1 - Upgrade to maven-resources-plugin 3.2.0 - Upgrade to maven-project-info-reports-plugin 3.1.0 - Upgrade to maven-javadoc-plugin 3.2.0 - Upgrade to maven-jar-plugin 3.2.0 - Upgrade to maven-clean-plugin 3.1.0 - Upgrade to maven-checkstyle-plugin 3.1.1 - Upgrade to jacoco-maven-plugin 0.8.5 - Upgrade to build-helper-maven-plugin 3.2.0 - Update Maven plugins in java-simple archetype POM template - Update Maven plugins in dropwizard-example - Update Maven plugins in dropwizard-archetypes ##### Assorted - Fix build of `dropwizard-example` with Java 11 ### [`v1.3.24`](https://togithub.com/dropwizard/dropwizard/releases/tag/v1.3.24) [Compare Source](https://togithub.com/dropwizard/dropwizard/compare/v1.3.23...v1.3.24) ##### Dependency updates - Upgrade to Jackson 2.9.10.20200621 ([#​3344](https://togithub.com/dropwizard/dropwizard/issues/3344)) ### [`v1.3.23`](https://togithub.com/dropwizard/dropwizard/releases/tag/v1.3.23) [Compare Source](https://togithub.com/dropwizard/dropwizard/compare/v1.3.22...v1.3.23) ##### Dependency updates - Upgrade to Jackson 2.9.10.20200411 ([#​3246](https://togithub.com/dropwizard/dropwizard/issues/3246)) ### [`v1.3.22`](https://togithub.com/dropwizard/dropwizard/releases/tag/v1.3.22) [Compare Source](https://togithub.com/dropwizard/dropwizard/compare/v1.3.21...v1.3.22) #### Security - Upgrade to SnakeYAML to address [CVE-2017-18640](https://nvd.nist.gov/vuln/detail/CVE-2017-18640) ([#​3223](https://togithub.com/dropwizard/dropwizard/issues/3223), [#​3227](https://togithub.com/dropwizard/dropwizard/issues/3227), [FasterXML/jackson-dataformats-text#​187](https://togithub.com/FasterXML/jackson-dataformats-text/issues/187)) ### [`v1.3.21`](https://togithub.com/dropwizard/dropwizard/releases/tag/v1.3.21) [Compare Source](https://togithub.com/dropwizard/dropwizard/compare/v1.3.20...v1.3.21) #### Security - Disable message interpolation in `ConstraintViolations` by default ([#​3209](https://togithub.com/dropwizard/dropwizard/issues/3209)) ### [`v1.3.20`](https://togithub.com/dropwizard/dropwizard/releases/tag/v1.3.20) [Compare Source](https://togithub.com/dropwizard/dropwizard/compare/v1.3.19...v1.3.20) #### Security - Upgrade to Jackson 2.9.10.20200223 to address CVE-2020-8840 ([#​3168](https://togithub.com/dropwizard/dropwizard/issues/3168)) ### [`v1.3.19`](https://togithub.com/dropwizard/dropwizard/releases/tag/v1.3.19) [Compare Source](https://togithub.com/dropwizard/dropwizard/compare/v1.3.18...v1.3.19) #### Security - Escape EL expressions in `ViolationCollector` to address CVE-2020-5245 ([#​3160](https://togithub.com/dropwizard/dropwizard/issues/3160)) - Security Advisory: [Remote Code Execution (RCE) vulnerability in dropwizard-validation <2.0.2](https://togithub.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf) - Thanks to Alvaro Muñoz ([@​pwntester](https://togithub.com/pwntester)) and the [GitHub Security Lab](https://securitylab.github.com/) for the responsible disclosure! ### [`v1.3.18`](https://togithub.com/dropwizard/dropwizard/releases/tag/v1.3.18) [Compare Source](https://togithub.com/dropwizard/dropwizard/compare/v1.3.17...v1.3.18) - Update Jackson version to 2.9.10.20200103 to address CVE-2019-20330 ([#​3100](https://togithub.com/dropwizard/dropwizard/issues/3100)) Thanks to [@​msymons](https://togithub.com/msymons)! ### [`v1.3.17`](https://togithub.com/dropwizard/dropwizard/releases/tag/v1.3.17) [Compare Source](https://togithub.com/dropwizard/dropwizard/compare/v1.3.16...v1.3.17) - Add SLF4J marker to dropwizard-json-logging ([#​3005](https://togithub.com/dropwizard/dropwizard/issues/3005)) - Enable Jackson Afterburner only on Java 8 (backport) ([#​3028](https://togithub.com/dropwizard/dropwizard/issues/3028)) - Upgrade Apache HttpClient to 4.5.10 to fix URI rewriting ([#​3029](https://togithub.com/dropwizard/dropwizard/issues/3029)) ### [`v1.3.16`](https://togithub.com/dropwizard/dropwizard/releases/tag/v1.3.16) [Compare Source](https://togithub.com/dropwizard/dropwizard/compare/v1.3.15...v1.3.16) - Upgrade to Jackson 2.9.10.20191020 to address CVE-2019-16942, CVE-2019-16943, and CVE-2019-17531 ([#​2988](https://togithub.com/dropwizard/dropwizard/issues/2988), thanks to [@​msymons](https://togithub.com/msymons)) ### [`v1.3.15`](https://togithub.com/dropwizard/dropwizard/releases/tag/v1.3.15) [Compare Source](https://togithub.com/dropwizard/dropwizard/compare/v1.3.14...v1.3.15) - Upgrade to Jackson 2.9.10 to address multiple security issues ([#​2939](https://togithub.com/dropwizard/dropwizard/issues/2939)) ### [`v1.3.14`](https://togithub.com/dropwizard/dropwizard/releases/tag/v1.3.14) [Compare Source](https://togithub.com/dropwizard/dropwizard/compare/v1.3.13...v1.3.14) - Upgrade to Jackson 2.9.9.20190807 to address multiple security issues ([#​2871](https://togithub.com/dropwizard/dropwizard/issues/2871))