fix(deps): update all non-major dependencies #44
+39
−29
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
8.7
->8.12
2.10.1
->2.12.7.1
1.17.2
->1.17.6
2.0.1
->2.0.2
5.0.0-beta.22
->5.2.1
0.1-SNAPSHOT
->0.3.3
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
XML External Entity (XXE) Injection in Jackson Databind
CGA-jp8x-p2pf-pcp2 / CVE-2020-25649 / GHSA-288c-cq4h-88gq
More information
Details
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode
CGA-fgh7-phh7-cj6x / CVE-2021-46877 / GHSA-3x8x-79m2-3w2w
More information
Details
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Deeply nested json in jackson-databind
CGA-mh4f-39hj-cv5p / CVE-2020-36518 / GHSA-57j2-w4cx-62h2
More information
Details
jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Uncontrolled Resource Consumption in Jackson-databind
CGA-cr64-vww2-xpq8 / CVE-2022-42003 / GHSA-jjjh-jjxp-wpff
More information
Details
In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.
Commits that introduced vulnerable code are
FasterXML/jackson-databind@d499f2e, FasterXML/jackson-databind@0e37a39, and FasterXML/jackson-databind@7ba9ac5.
Fix commits are FasterXML/jackson-databind@cd09097 and FasterXML/jackson-databind@d78d00e.
The
2.13.4.1
release does fix this issue, however it also references a non-existent jackson-bom which causes build failures for gradle users. See https://github.com/FasterXML/jackson-databind/issues/3627#issuecomment-1277957548 for details. This is fixed in2.13.4.2
which is listed in the advisory metadata so that users are not subjected to unnecessary build failuresSeverity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Uncontrolled Resource Consumption in FasterXML jackson-databind
CGA-9vjr-qmvr-wg48 / CVE-2022-42004 / GHSA-rgv9-q543-rqg4
More information
Details
In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. This issue can only happen when the
UNWRAP_SINGLE_VALUE_ARRAYS
feature is explicitly enabled.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Okio Signed to Unsigned Conversion Error vulnerability
CVE-2023-3635 / GHSA-w33c-445m-f8w7
More information
Details
GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
gradle/gradle (gradle)
v8.12
Compare Source
v8.11.1
: 8.11.1Compare Source
This is a patch release for Gradle 8.11. We recommend users upgrade to 8.11.1 instead of 8.11.
It fixes the following issues:
Read the Release Notes
Upgrade instructions
Switch your build to use Gradle 8.11.1 by updating your wrapper:
See the Gradle 8.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.
For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.
Reporting problems
If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines.
If you're not sure you're encountering a bug, please use the forum.
We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.
v8.11
: 8.11Compare Source
The Gradle team is excited to announce Gradle 8.11.
Read the Release Notes
We would like to thank the following community members for their contributions to this release of Gradle:
Adam,
alyssoncs,
Bilel MEDIMEGH,
Björn Kautler,
Chuck Thomas,
Daniel Lacasse,
Finn Petersen,
JK,
Jérémie Bresson,
luozexuan,
Mahdi Hosseinzadeh,
Markus Gaisbauer,
Matthew Haughton,
Matthew Von-Maszewski,
ploober,
Siarhei,
Titus James,
vrp0211
Upgrade instructions
Switch your build to use Gradle 8.11 by updating your wrapper:
See the Gradle 8.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.
For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.
Reporting problems
If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines.
If you're not sure you're encountering a bug, please use the forum.
We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.
v8.10.2
: 8.10.2Compare Source
This is a patch release for 8.10. We recommend using 8.10.2 instead of 8.10
It fixes the following issues:
Issues fixed in the first patch release:
Read the Release Notes
Upgrade instructions
Switch your build to use Gradle 8.10.2 by updating your wrapper:
See the Gradle 8.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.
For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.
Reporting problems
If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines.
If you're not sure you're encountering a bug, please use the forum.
We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.
v8.10.1
: 8.10.1Compare Source
This is a patch release for 8.10. We recommend using 8.10.1 instead of 8.10
It fixes the following issues:
Read the Release Notes
Upgrade instructions
Switch your build to use Gradle 8.10.1 by updating your wrapper:
See the Gradle 8.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.
For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.
Reporting problems
If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines.
If you're not sure you're encountering a bug, please use the forum.
We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.
v8.10
: 8.10Compare Source
The Gradle team is excited to announce Gradle 8.10.
Read the Release Notes
We would like to thank the following community members for their contributions to this release of Gradle:
Björn Kautler,
Craig Andrews,
gotovsky,
Jeff,
Kirill Gavrilov,
Madalin Valceleanu,
Sergei Vorobev,
Thach Le,
Thad Guidry
Upgrade instructions
Switch your build to use Gradle 8.10 by updating your wrapper:
See the Gradle 8.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.
For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.
Reporting problems
If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines.
If you're not sure you're encountering a bug, please use the forum.
We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.
v8.9
: 8.9Compare Source
The Gradle team is excited to announce Gradle 8.9.
Read the Release Notes
We would like to thank the following community members for their contributions to this release of Gradle:
/dev/mataha,
Alex-Vol-Amz,
Andrew Quinney,
Andrey Mischenko,
Björn Kautler,
dancer13,
Danish Nawab,
Endeavour233,
Gediminas Rimša,
gotovsky,
Jay Wei,
Jeff,
Madalin Valceleanu,
markslater,
Mel Arthurs,
Michael,
Nils Brugger,
Ole Osterhagen,
Piotr Kubowicz,
Róbert Papp,
Sebastian Davids,
Sebastian Schuberth,
Stefan Oehme,
Stefanos Koutsouflakis,
Taeik Lim,
Tianyi Tao,
Tim Nielens,
наб
Upgrade instructions
Switch your build to use Gradle 8.9 by updating your wrapper:
See the Gradle 8.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.
For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.
Reporting problems
If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines.
If you're not sure you're encountering a bug, please use the forum.
We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.
v8.8
: 8.8Compare Source
The Gradle team is excited to announce Gradle 8.8.
Read the Release Notes
We would like to thank the following community members for their contributions to this release of Gradle:
Björn Kautler,
Denes Daniel,
Fabian Windheuser,
Hélio Fernandes Sebastião,
Jay Wei,
jhrom,
jwp345,
Jörgen Andersson,
Kirill Gavrilov,
MajesticMagikarpKing,
Maksim Lazeba,
Philip Wedemann,
Robert Elliot,
Róbert Papp,
Stefan M.,
Tibor Vyletel,
Tony Robalik,
Valentin Kulesh,
Yanming Zhou,
김용후
Upgrade instructions
Switch your build to use Gradle 8.8 by updating your wrapper:
See the Gradle 8.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.
For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.
Reporting problems
If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines.
If you're not sure you're encountering a bug, please use the forum.
We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.
square/okio (com.squareup.okio:okio)
v1.17.6
2023-10-01
XLEN
) is 32 KiB or larger.v1.17.5
2019-12-11
InputStream
source is exhausted exactly at a buffer segment boundary.We had a bug where a sequence of reads could violate a buffer's invariants, and this could result
in a crash when subsequent reads encountered an unexpected empty segment.
v1.17.4
2019-04-29
BufferedSource.peek()
.v1.17.3
2019-01-28
Pipe.fold()
close the underlying sink when necessary.bspfsystems/YamlConfiguration (org.bspfsystems:yamlconfiguration)
v2.0.2
: Release 2.0.2Updates:
java.util.logging
logger with SLF4JDocumentation:
discord-jda/JDA (net.dv8tion:JDA)
v5.2.1
Small bug fix release.
Bug Fixes
Full Changelog: discord-jda/JDA@v5.2.0...v5.2.1
Installation
Gradle
Maven
v5.2.0
: | Application emoji and premium buttonsOverview
This release adds some new features for applications. We've also started working on more compliance tests to make contributing and reviewing changes easier.
Premium Buttons (#2752)
The interaction response
replyWithPremiumRequired
is being phased out in favor of custom messages with a new button styleButton.premium(sku)
to upsell specific premium features instead.You can change your code to a simple
reply(content)
with this button as a component.For more info, see the official Discord Changelog.
Application Emoji (#2726)
Your bot can now manage emoji with JDA by using
JDA#createApplicationEmoji
. These emojis can then be used like any other emoji with `Emoji.fromCustom(namConfiguration
📅 Schedule: Branch creation - "before 12pm on Sunday" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.