From 9713f5c107c964a9bc07a1a41244faa3d956a45b Mon Sep 17 00:00:00 2001 From: Julio Castro Date: Wed, 22 Oct 2025 09:10:25 +0200 Subject: [PATCH 1/2] [CHK-12730] fix dependabot #25 (ch.qos.logback:logback-core from 1.5.18 to 1.5.19) --- examples/example-spring-boot-starter-web/build.gradle | 5 +++-- examples/example-spring-boot-starter-webflux/build.gradle | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/examples/example-spring-boot-starter-web/build.gradle b/examples/example-spring-boot-starter-web/build.gradle index e4e6a749..aa15ec56 100644 --- a/examples/example-spring-boot-starter-web/build.gradle +++ b/examples/example-spring-boot-starter-web/build.gradle @@ -6,13 +6,14 @@ plugins { } // Needed for security. See: +// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/25 // - https://github.com/getyourguide/openapi-validation-java/security/dependabot/7 // - https://github.com/getyourguide/openapi-validation-java/security/dependabot/6 // Hopefully with spring-boot 3.4.2+ this won't be needed anymore and can be removed. dependencyManagement { dependencies { - dependency 'ch.qos.logback:logback-core:1.5.18' - dependency 'ch.qos.logback:logback-classic:1.5.18' + dependency 'ch.qos.logback:logback-core:1.5.19' + dependency 'ch.qos.logback:logback-classic:1.5.19' } } diff --git a/examples/example-spring-boot-starter-webflux/build.gradle b/examples/example-spring-boot-starter-webflux/build.gradle index 60e1117d..26ae51a4 100644 --- a/examples/example-spring-boot-starter-webflux/build.gradle +++ b/examples/example-spring-boot-starter-webflux/build.gradle @@ -6,13 +6,14 @@ plugins { } // Needed for security. See: +// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/25 // - https://github.com/getyourguide/openapi-validation-java/security/dependabot/7 // - https://github.com/getyourguide/openapi-validation-java/security/dependabot/6 // Hopefully with spring-boot 3.4.2+ this won't be needed anymore and can be removed. dependencyManagement { dependencies { - dependency 'ch.qos.logback:logback-core:1.5.18' - dependency 'ch.qos.logback:logback-classic:1.5.18' + dependency 'ch.qos.logback:logback-core:1.5.19' + dependency 'ch.qos.logback:logback-classic:1.5.19' } } From 4bcf0158f7283abf1d6bcb846a7a006736cd9000 Mon Sep 17 00:00:00 2001 From: Julio Castro Date: Wed, 22 Oct 2025 09:20:08 +0200 Subject: [PATCH 2/2] [CHK-12731] fix dependabot #24 (org.springframework:spring-core 6.2.10) --- build.gradle | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/build.gradle b/build.gradle index be00b8d2..3219328b 100644 --- a/build.gradle +++ b/build.gradle @@ -3,7 +3,7 @@ plugins { alias(libs.plugins.nexus.publish) } -ext['spring-framework.version'] = '6.2.10' +ext['spring-framework.version'] = '6.2.11' ext['tomcat.version'] = '11.0.10' ext['netty.version'] = '4.2.6.Final' // Due to security vulnerabilities in 4.125.Final and older @@ -70,11 +70,11 @@ subprojects { // Security constraints constraints { - implementation("org.springframework:spring-web:6.2.10") { - because("versions below 6.2.8 have security vulnerabilities including CVE-2024-38820 - see dependabot #12") + implementation("org.springframework:spring-web:6.2.11") { + because("versions below 6.2.11 have security vulnerabilities including CVE-2024-38820 and CVE-2025-41249 - see dependabot #12, #24") } - implementation("org.springframework:spring-webmvc:6.2.10") { - because("versions below 6.2.10 have Path Traversal Vulnerability CVE-2025-41242 - see dependabot #247") + implementation("org.springframework:spring-webmvc:6.2.11") { + because("versions below 6.2.11 have security vulnerabilities including CVE-2025-41242 and CVE-2025-41249 - see dependabot #24, #247") } implementation("org.apache.tomcat.embed:tomcat-embed-core:11.0.10") { because("versions below 10.1.42 have security vulnerabilities including CVE-2024-56337 - see dependabot #13")