This is an automated email from the ASF dual-hosted git repository.

tzimanyi pushed a commit to branch main
in repository 
https://gitbox.apache.org/repos/asf/incubator-kie-kogito-runtimes.git


The following commit(s) were added to refs/heads/main by this push:
     new 3b62b885c9 [CVE][incubator-kie-issues#2192] Upgrade lz4-java to 1.8.1
3b62b885c9 is described below

commit 3b62b885c98473cd48fde591fdc7be7a9af2dee7
Author: Deepak Joseph <[email protected]>
AuthorDate: Thu Dec 18 17:05:06 2025 +0530

    [CVE][incubator-kie-issues#2192] Upgrade lz4-java to 1.8.1
---
 kogito-build/kogito-dependencies-bom/pom.xml | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/kogito-build/kogito-dependencies-bom/pom.xml 
b/kogito-build/kogito-dependencies-bom/pom.xml
index 7167047c0a..88e0426501 100644
--- a/kogito-build/kogito-dependencies-bom/pom.xml
+++ b/kogito-build/kogito-dependencies-bom/pom.xml
@@ -169,18 +169,23 @@
     
<version.apache.commons.commons-compress>1.27.1</version.apache.commons.commons-compress>
 
     <version.tomcat.embed.core>10.1.48</version.tomcat.embed.core>
+    <version.org.lz4.java>1.8.1</version.org.lz4.java>
   </properties>
 
   <dependencyManagement>
     <dependencies>
 
-      <!-- These versions are overrides for transitive dependencies, to fix 
security vulnerabilities.
-     They need to be checked with Quarkus and Spring Boot upgrades and 
eventually removed, if they are not needed anymore. -->
+      <!-- These versions are overrides for transitive dependencies, to fix 
security vulnerabilities. -->
       <dependency>
         <groupId>org.eclipse.angus</groupId>
         <artifactId>angus-mail</artifactId>
         <version>${version.angus.mail}</version>
       </dependency>
+      <dependency>
+        <groupId>org.lz4</groupId>
+        <artifactId>lz4-java</artifactId>
+        <version>${version.org.lz4.java}</version>
+      </dependency>
       <!-- End of various transitive overrides. -->
 
       <!-- Not directly used, but used to override transitive versions of 
Spring dependencies dependencies to fix vulnerabilities -->
@@ -1010,7 +1015,7 @@
         <groupId>org.apache.maven</groupId>
         <artifactId>maven-project</artifactId>
         <version>${version.maven.project}</version>
-    </dependency>
+      </dependency>
       <dependency>
         <groupId>org.apache.maven</groupId>
         <artifactId>maven-core</artifactId>
@@ -1101,13 +1106,13 @@
         <artifactId>swagger-parser</artifactId>
         <version>${version.io.swagger.parser.v3}</version>
       </dependency>
-      
+
       <dependency>
         <groupId>io.swagger.core.v3</groupId>
         <artifactId>swagger-model</artifactId>
         <version>${version.io.swagger.core.v3}</version>
       </dependency>
-      
+
       <dependency>
         <groupId>io.swagger.core.v3</groupId>
         <artifactId>swagger-core</artifactId>
@@ -1235,7 +1240,7 @@
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
           </exclusion>
-         </exclusions>
+        </exclusions>
       </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.datatype</groupId>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to