00felix opened a new pull request, #143: URL: https://github.com/apache/johnzon/pull/143
the 3 verified upgrades: 1. This pull request upgrades the com.google.guava:guava dependency from version 25.1-android to 33.6.0-jre to address two known security vulnerabilities. Vulnerabilities resolved: https://github.com/advisories/GHSA-7g45-4rm6-3mm3 – Guava’s Files.createTempDir() and similar methods create temporary directories with insecure permissions, potentially allowing local privilege escalation or information disclosure. https://github.com/advisories/GHSA-5mg8-w23w-74h3 – Guava’s CompoundOrdering class can leak internal state via its toString() method, exposing sensitive information. Upgrading to the latest JRE flavor ensures these issues are fixed while also bringing in other stability and compatibility improvements. No code changes are required – the dependency version is updated in the build configuration only, and the existing API usage remains compatible. 2. This pull request upgrades the commons-io:commons-io dependency from version 2.5 to version 20030203.000550 to address two security vulnerabilities: https://github.com/advisories/GHSA-78wr-2p64-hpwj: A possible denial of service attack via untrusted input to XmlStreamReader. https://github.com/advisories/GHSA-gwrp-pvrq-jmwv: Path traversal and improper input validation vulnerabilities. No code changes are required; the dependency version update itself resolves these issues. 3. This pull request upgrades the junit:junit dependency from version 4.12 to 4.13.2. Why this upgrade matters: Version 4.13.2 includes a security fix for https://github.com/advisories/GHSA-269g-pwp5-87pp, a vulnerability in the TemporaryFolder rule on Unix‑like systems. In affected versions, files and directories created by TemporaryFolder do not have their permissions restricted, which could allow other local users to read or modify temporary test data. The fix ensures that created temporary files are only accessible by the owner. Code changes: No code changes are required. The upgrade is a direct version bump that applies the patched dependency. All existing test behavior remains unchanged. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
