Skip to content

fix: resolve CVEs #348

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
meotch wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: resolve CVEs #348

meotch wants to merge 1 commit into from
+120 −116

Conversation

@meotch
Copy link

@meotch meotch commented Feb 10, 2026
edited
Loading

Summary of Changes

Resolve the following CVEs

  • Uncontrolled Recursion [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-10734078 ] in org.apache.commons:commons-lang3@3.17.0
  • Improper Validation of Certificate with Host Mismatch [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782 ] in org.apache.logging.log4j:log4j-core@2.24.3
  • XML External Entity (XXE) Injection [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGASSERTJ-15102413 ] in org.assertj:assertj-core@3.27.6

Fixes MC-9656

Public API Additions/Changes

None

Downstream Consumer Impact

None

How Has This Been Tested?

Verified project building and tests passing in pipeline

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my code
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works

stevecl5
stevecl5 previously approved these changes Feb 10, 2026
View reviewed changes
@stevecl5 stevecl5 dismissed their stale review February 11, 2026 00:02

I think we should give this a try before overriding dependencies in each core library: mxenabled/path-facilities#85 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stevecl5 stevecl5 stevecl5 left review comments

@mattnichols mattnichols Awaiting requested review from mattnichols mattnichols is a code owner

@gerfboy gerfboy Awaiting requested review from gerfboy gerfboy is a code owner

@RyanJones08 RyanJones08 Awaiting requested review from RyanJones08 RyanJones08 is a code owner

@tessstoddard tessstoddard Awaiting requested review from tessstoddard tessstoddard is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@meotch @stevecl5 @meotchwilliams