search

eclipse-rdf4j / rdf4j

Eclipse RDF4J: scalable RDF for Java
https://rdf4j.org/
BSD 3-Clause "New" or "Revised" License
361 stars 163 forks source link

Upgrade netty to 4.1.111 #5050

Closed barthanssens closed 3 months ago

barthanssens commented 3 months ago

Current Behavior

I've noticed, when releasing the docker workbench image, there are a few vulnerabilities in netty (which may or may not affect RDF4J workbenc00h)

Expected Behavior

Upgrading to the latest (patch) release of netty should fix the reported CVEs for netty dependencies

Steps To Reproduce

No response

Version

5.0.0

Are you interested in contributing a solution yourself?

Yes

Anything else?

Might not be that straightforward, since netty is being used by (sub)dependencies, some excludes/includes in POMs can be expected

barthanssens commented 3 months ago

Dependency management is honored by most but not all (sub)dependencies, e.g. solr-solrj:jar:8.11.2 still uses 4.1.97

But it looks like this version of solr is only used at compile time for rdf4j-spring, and the included dependencies are OK (so probably another issue to pin down the solr-solrj version to 8.9.0 for all modules)