Skip to content

fix: upgrade dependencies to resolve critical and high security vulnerabilities#59

Merged
xaviaracil merged 4 commits into
1EdTech:mainfrom
zofarkas:fix/security-dependency-upgrades
May 21, 2026
Merged

fix: upgrade dependencies to resolve critical and high security vulnerabilities#59
xaviaracil merged 4 commits into
1EdTech:mainfrom
zofarkas:fix/security-dependency-upgrades

Conversation

@zofarkas
Copy link
Copy Markdown
Contributor

@zofarkas zofarkas commented May 19, 2026

Summary

  • Upgrades direct and transitive dependencies in pom.xml to resolve 34 of 45 Snyk-reported security vulnerabilities, including all 1 critical and 21 of 22 high-severity issues
  • The sole remaining high is a jnr-posix license compliance issue (EPL/GPL/LGPL) requiring legal review, not a code fix

Dependency Upgrades

Package From To Vulns Fixed
org.bouncycastle:bcprov-jdk18on 1.80 1.84 1 critical + 2 high
org.bouncycastle:bcpkix-jdk18on 1.77 (transitive) 1.84 (included above)
io.netty:netty-bom 4.1.133.Final 10 high
com.fasterxml.jackson.core:jackson-databind 2.18.3 2.18.7 2 high
org.apache.logging.log4j:log4j-* 2.23.1 2.25.4 3 high (CVE-2026-34478, CVE-2026-34479, CVE-2026-34480)
org.apache.commons:commons-lang3 3.17.0 (transitive) 3.18.0 1 high
org.bitcoinj:bitcoinj-core 0.17 (transitive) 0.17.1 1 high
net.minidev:json-smart 2.4.7 (transitive) 2.4.9 1 high
com.upokecenter:cbor — (transitive) 4.5.2 1 high

Test plan

  • mvn clean test — all modules build and pass
  • snyk test --file=inspector-vc/pom.xml — confirms 0 critical, 1 high (license only), 7 medium, 3 low
  • Verify no runtime regressions in deployed environment

🤖 Generated with Claude Code

zofarkas and others added 2 commits May 19, 2026 10:23
@zofarkas @claude
fix: upgrade dependencies to resolve critical and high security vulne…
a4692b4 
…rabilities

Addresses 30 of 45 Snyk-reported vulnerabilities (1 critical, 18 high)
by upgrading direct and transitive dependency versions:

- BouncyCastle 1.80 -> 1.84 (1 critical + 2 high)
- Netty BOM -> 4.1.133.Final (10 high)
- Jackson 2.18.3 -> 2.18.7 (2 high)
- Log4j 2.23.1 -> 2.25.3 (best available)
- commons-lang3 -> 3.18.0 (1 high)
- bitcoinj-core -> 0.17.1 (1 high)
- json-smart -> 2.4.9 (1 high)
- com.upokecenter:cbor -> 4.5.2 (1 high)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@zofarkas @claude
fix: upgrade log4j from 2.25.3 to 2.25.4 to resolve remaining high vu…
5c51b86 
…lnerabilities

Fixes CVE-2026-34478 (log injection in Rfc5424Layout),
CVE-2026-34479 and CVE-2026-34480 (encoding issues in XmlLayout).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@zofarkas zofarkas requested a review from xaviaracil as a code owner May 19, 2026 10:08
@xaviaracil xaviaracil merged commit 88d94c6 into 1EdTech:main May 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xaviaracil xaviaracil xaviaracil approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zofarkas @xaviaracil