Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update all non-major dependencies #44

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 22, 2024

This PR contains the following updates:

Package Type Update Change Age Adoption Passing Confidence
gradle (source) minor 8.7 -> 8.12 age adoption passing confidence
com.fasterxml.jackson.core:jackson-databind (source) dependencies minor 2.10.1 -> 2.12.7.1 age adoption passing confidence
com.squareup.okio:okio dependencies patch 1.17.2 -> 1.17.6 age adoption passing confidence
org.bspfsystems:yamlconfiguration dependencies patch 2.0.1 -> 2.0.2 age adoption passing confidence
net.dv8tion:JDA dependencies minor 5.0.0-beta.22 -> 5.2.1 age adoption passing confidence
me.lucko:fabric-permissions-api dependencies minor 0.1-SNAPSHOT -> 0.3.3 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


XML External Entity (XXE) Injection in Jackson Databind

CGA-jp8x-p2pf-pcp2 / CVE-2020-25649 / GHSA-288c-cq4h-88gq

More information

Details

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode

CGA-fgh7-phh7-cj6x / CVE-2021-46877 / GHSA-3x8x-79m2-3w2w

More information

Details

jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Deeply nested json in jackson-databind

CGA-mh4f-39hj-cv5p / CVE-2020-36518 / GHSA-57j2-w4cx-62h2

More information

Details

jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Uncontrolled Resource Consumption in Jackson-databind

CGA-cr64-vww2-xpq8 / CVE-2022-42003 / GHSA-jjjh-jjxp-wpff

More information

Details

In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.

Commits that introduced vulnerable code are
FasterXML/jackson-databind@d499f2e, FasterXML/jackson-databind@0e37a39, and FasterXML/jackson-databind@7ba9ac5.

Fix commits are FasterXML/jackson-databind@cd09097 and FasterXML/jackson-databind@d78d00e.

The 2.13.4.1 release does fix this issue, however it also references a non-existent jackson-bom which causes build failures for gradle users. See https://github.com/FasterXML/jackson-databind/issues/3627#issuecomment-1277957548 for details. This is fixed in 2.13.4.2 which is listed in the advisory metadata so that users are not subjected to unnecessary build failures

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Uncontrolled Resource Consumption in FasterXML jackson-databind

CGA-9vjr-qmvr-wg48 / CVE-2022-42004 / GHSA-rgv9-q543-rqg4

More information

Details

In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. This issue can only happen when the UNWRAP_SINGLE_VALUE_ARRAYS feature is explicitly enabled.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Okio Signed to Unsigned Conversion Error vulnerability

CVE-2023-3635 / GHSA-w33c-445m-f8w7

More information

Details

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

gradle/gradle (gradle)

v8.12

Compare Source

v8.11.1: 8.11.1

Compare Source

This is a patch release for Gradle 8.11. We recommend users upgrade to 8.11.1 instead of 8.11.

It fixes the following issues:

  • #​31268 BuildEventsListenerRegistry corrupted with Isolated Projects and parallel configuration
  • #​31282 Running executables sporadically fails with ETXTBSY (Text file busy)
  • #​31284 ArrayIndexOutOfBoundsException after upgrading to gradle 8.11 when generating problems report
  • #​31310 Unable to run Gradle task in 8.10 due to bytecode interception

Read the Release Notes

Upgrade instructions

Switch your build to use Gradle 8.11.1 by updating your wrapper:

./gradlew wrapper --gradle-version=8.11.1

See the Gradle 8.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.

For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.

Reporting problems

If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines.
If you're not sure you're encountering a bug, please use the forum.

We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.

v8.11: 8.11

Compare Source

The Gradle team is excited to announce Gradle 8.11.

Read the Release Notes

We would like to thank the following community members for their contributions to this release of Gradle:
Adam,
alyssoncs,
Bilel MEDIMEGH,
Björn Kautler,
Chuck Thomas,
Daniel Lacasse,
Finn Petersen,
JK,
Jérémie Bresson,
luozexuan,
Mahdi Hosseinzadeh,
Markus Gaisbauer,
Matthew Haughton,
Matthew Von-Maszewski,
ploober,
Siarhei,
Titus James,
vrp0211

Upgrade instructions

Switch your build to use Gradle 8.11 by updating your wrapper:

./gradlew wrapper --gradle-version=8.11

See the Gradle 8.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.

For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.

Reporting problems

If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines.
If you're not sure you're encountering a bug, please use the forum.

We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.

v8.10.2: 8.10.2

Compare Source

This is a patch release for 8.10. We recommend using 8.10.2 instead of 8.10

It fixes the following issues:

  • #​30472 Investigate possibly broken 8.10.1
  • #​30477 Kotlin Mutliplatform build with reused daemon fails with "Cannot query the value of task ':compileKotlinWindows' property 'kotlinNativeBundleBuildService' because it has no value available."
  • #​30497 DefaultTaskCollection#configureEach(Action) on task set cannot be executed in the current context

Issues fixed in the first patch release:

  • #​30239 Gradle 8.10 Significantly Slower Due to Dependency Resolution
  • #​30272 Broken equals() contract for LifecycleAwareProject
  • #​30385 Gradle should not validate isolated projects when isolated projects is disabled

Read the Release Notes

Upgrade instructions

Switch your build to use Gradle 8.10.2 by updating your wrapper:

./gradlew wrapper --gradle-version=8.10.2

See the Gradle 8.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.

For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.

Reporting problems

If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines.
If you're not sure you're encountering a bug, please use the forum.

We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.

v8.10.1: 8.10.1

Compare Source

This is a patch release for 8.10. We recommend using 8.10.1 instead of 8.10

It fixes the following issues:

  • #​30239 Gradle 8.10 Significantly Slower Due to Dependency Resolution
  • #​30272 Broken equals() contract for LifecycleAwareProject
  • #​30385 Gradle should not validate isolated projects when isolated projects is disabled

Read the Release Notes

Upgrade instructions

Switch your build to use Gradle 8.10.1 by updating your wrapper:

./gradlew wrapper --gradle-version=8.10.1

See the Gradle 8.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.

For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.

Reporting problems

If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines.
If you're not sure you're encountering a bug, please use the forum.

We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.

v8.10: 8.10

Compare Source

The Gradle team is excited to announce Gradle 8.10.

Read the Release Notes

We would like to thank the following community members for their contributions to this release of Gradle:
Björn Kautler,
Craig Andrews,
gotovsky,
Jeff,
Kirill Gavrilov,
Madalin Valceleanu,
Sergei Vorobev,
Thach Le,
Thad Guidry

Upgrade instructions

Switch your build to use Gradle 8.10 by updating your wrapper:

./gradlew wrapper --gradle-version=8.10

See the Gradle 8.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.

For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.

Reporting problems

If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines.
If you're not sure you're encountering a bug, please use the forum.

We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.

v8.9: 8.9

Compare Source

The Gradle team is excited to announce Gradle 8.9.

Read the Release Notes

We would like to thank the following community members for their contributions to this release of Gradle:
/dev/mataha,
Alex-Vol-Amz,
Andrew Quinney,
Andrey Mischenko,
Björn Kautler,
dancer13,
Danish Nawab,
Endeavour233,
Gediminas Rimša,
gotovsky,
Jay Wei,
Jeff,
Madalin Valceleanu,
markslater,
Mel Arthurs,
Michael,
Nils Brugger,
Ole Osterhagen,
Piotr Kubowicz,
Róbert Papp,
Sebastian Davids,
Sebastian Schuberth,
Stefan Oehme,
Stefanos Koutsouflakis,
Taeik Lim,
Tianyi Tao,
Tim Nielens,
наб

Upgrade instructions

Switch your build to use Gradle 8.9 by updating your wrapper:

./gradlew wrapper --gradle-version=8.9

See the Gradle 8.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.

For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.

Reporting problems

If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines.
If you're not sure you're encountering a bug, please use the forum.

We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.

v8.8: 8.8

Compare Source

The Gradle team is excited to announce Gradle 8.8.

Read the Release Notes

We would like to thank the following community members for their contributions to this release of Gradle:
Björn Kautler,
Denes Daniel,
Fabian Windheuser,
Hélio Fernandes Sebastião,
Jay Wei,
jhrom,
jwp345,
Jörgen Andersson,
Kirill Gavrilov,
MajesticMagikarpKing,
Maksim Lazeba,
Philip Wedemann,
Robert Elliot,
Róbert Papp,
Stefan M.,
Tibor Vyletel,
Tony Robalik,
Valentin Kulesh,
Yanming Zhou,
김용후

Upgrade instructions

Switch your build to use Gradle 8.8 by updating your wrapper:

./gradlew wrapper --gradle-version=8.8

See the Gradle 8.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.

For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.

Reporting problems

If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines.
If you're not sure you're encountering a bug, please use the forum.

We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.

square/okio (com.squareup.okio:okio)

v1.17.6

2023-10-01

  • Fix: Don't crash decoding GZIP files when the optional extra data (XLEN) is 32 KiB or larger.

v1.17.5

2019-12-11

  • Fix: Don't crash when an InputStream source is exhausted exactly at a buffer segment boundary.
    We had a bug where a sequence of reads could violate a buffer's invariants, and this could result
    in a crash when subsequent reads encountered an unexpected empty segment.

v1.17.4

2019-04-29

  • Fix: Don't block unless strictly necessary in BufferedSource.peek().

v1.17.3

2019-01-28

  • Fix: Make Pipe.fold() close the underlying sink when necessary.
bspfsystems/YamlConfiguration (org.bspfsystems:yamlconfiguration)

v2.0.2: Release 2.0.2

Updates:

  • Replaced java.util.logging logger with SLF4J
  • Small formatting adjustments

Documentation:

  • Cleaned up and clarified Javadocs
discord-jda/JDA (net.dv8tion:JDA)

v5.2.1

Small bug fix release.

Bug Fixes

Full Changelog: discord-jda/JDA@v5.2.0...v5.2.1

Installation

Gradle

repositories {
    mavenCentral()
}
dependencies {
    implementation("net.dv8tion:JDA:5.2.1")
}

Maven

<dependency>
    <groupId>net.dv8tion</groupId>
    <artifactId>JDA</artifactId>
    <version>5.2.1</version> 
</dependency>

v5.2.0: | Application emoji and premium buttons

Overview

This release adds some new features for applications. We've also started working on more compliance tests to make contributing and reviewing changes easier.

Premium Buttons (#​2752)

The interaction response replyWithPremiumRequired is being phased out in favor of custom messages with a new button style Button.premium(sku) to upsell specific premium features instead.

You can change your code to a simple reply(content) with this button as a component.

event.reply("This feature is only available for premium users.")
  .addActionRow(Button.primary(SkuSnowflake.fromId(PREMIUM_FEATURE_SKU)))
  .setEphemeral(true)
  .queue();

For more info, see the official Discord Changelog.

Application Emoji (#​2726)

Your bot can now manage emoji with JDA by using JDA#createApplicationEmoji. These emojis can then be used like any other emoji with `Emoji.fromCustom(nam


Configuration

📅 Schedule: Branch creation - "before 12pm on Sunday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/all-minor-patch branch from cf6d603 to 5abed47 Compare May 12, 2024 15:17
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 5abed47 to 849c477 Compare May 24, 2024 23:03
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 849c477 to 5bba9b3 Compare June 1, 2024 00:34
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from 7e52661 to af44394 Compare July 15, 2024 20:07
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from af44394 to 0dfb13f Compare August 4, 2024 15:08
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from bf0c924 to f88126e Compare August 17, 2024 19:20
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from f88126e to 673af4b Compare August 21, 2024 17:15
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from 6a29170 to 518f28e Compare September 9, 2024 10:52
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from abef2fa to e7d2b0e Compare September 23, 2024 22:21
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from e7d2b0e to 86a2e22 Compare October 5, 2024 13:27
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 3cf7536 to 8143c41 Compare October 28, 2024 09:51
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from c808a36 to d76f2b0 Compare November 10, 2024 16:44
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from d76f2b0 to 06ff3d5 Compare November 11, 2024 16:16
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 06ff3d5 to d77cc86 Compare November 20, 2024 20:27
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from d77cc86 to 5a00935 Compare December 2, 2024 11:13
@renovate renovate bot added the security label Dec 2, 2024
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 5a00935 to 31b3478 Compare December 2, 2024 13:55
@renovate renovate bot changed the title chore(deps): update all non-major dependencies fix(deps): update all non-major dependencies Dec 10, 2024
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 31b3478 to 13da33a Compare December 20, 2024 19:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants