vert-x3 / vertx-dependencies Goto Github PK

the dependencyManagement of vertx-dependencies has a reference to vertx-mail and vertx-mongo however that is not built and released since 3.5.1 almost 3 years ago

      <dependency>
        <groupId>io.vertx</groupId>
        <artifactId>vertx-mail</artifactId>
        <version>4.0.0.CR1</version>
      </dependency>
      <dependency>
        <groupId>io.vertx</groupId>
        <artifactId>vertx-mongo</artifactId>
        <version>4.0.0.CR1</version>
      </dependency>

vertx-zookeeper was also in vertx-dependencies, but was not tagged and released for 4.0.0.CR1, if it has been dropped it should be removed from the here

      <dependency>
        <groupId>io.vertx</groupId>
        <artifactId>vertx-zookeeper</artifactId>
        <version>4.0.0.CR1</version>
      </dependency>

Upgrade to Netty 4.1.48.Final and TC native 2.0.29.Final

https://ossindex.sonatype.org/vuln/4e1d093b-9ce9-4fc1-8089-5a1c4e519473

Backport #87 to 4.2

Declare dependencies of the Vert.x stack we want to guarantee to be the same throughout the stack.

• org.slf4j groupId
• org.apache.logging.log4j groupId
• org.yaml:snakeyaml
• com.google.guava:guava

The vertx-lang-kotlin-coroutines dependency is missing; it should be added from version 3.5.0.

In order to make sure logging frameworks are not transitive dependencies of vert.x, we have forced log4j and others versions and scope in 1c6a087

This prevents users from simply adding log4j core or logback to their project dependencies in order to get logging to work (see forum or StackOverflow)

The workaround is to add the log4j bom before the vertx stack depchain in the user project. We do the same in the Vert.x starter:

https://github.com/vert-x3/vertx-starter/blob/03615431ea8dab854cf7893bf294fd6811711850/pom.xml#L20-L44

I see with Black Duck analyzer that vertx jackson dependencies present lot of security defect. ( see : https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html )

I recommend to move to Jackson 2.10.x in order to solve this.

vertx-web-templ-rythm is built in vertx-web but has no dependency definition in vertx-dependencies master like all other web-templ

Upgrade to Netty 4.1.73.Final

Currently the BOM doesn't have the vertx-health-check dependency.

See: GHSA-57j2-w4cx-62h2

Although jackson-databind isn't a dependency used by vert.x core modules, we should bump the version we use as it imports the official jackson bom which sets the default version for this dependency by projects that include it without locking the version.

Fixed by: 3e90e8d

Describe the feature

It seems that jackson is updated to the 2.10.x line in the upcoming version 3.9.0 and they have released another patch version. It might be valuable to update to 2.10.3 before releasing 3.9.0

Use cases

https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10.3

Hi,
Please upgrade jackson-databind to version 2.9.4 or later (2.9.5).

CVEs: CVE-2018-5968, CVE-2017-17485, CVE-2017-15095

Describe the feature

Netty has released a couple of additional patch versions. It might be valuable to update to 4.1.48.Final before releasing 3.9.0

Use cases

https://netty.io/news/

Hi,
Please upgrade jackson-databind to version 2.9.7.

Snyk: https://app.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72449

CVEs: CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721
CWEs: CWE-502

edit: updated CVEs

Read me

Read this first before creating an issue:

• do not use this issue tracker to ask questions, instead use one of these channels. Questions will likely be closed without notice.
• you shall create a feature request only when it is general purpose enough.
• make sure that the feature is not already

Describe the feature

Give the simplest and best explanation.

Use cases

A list of use cases this feature will enable and the value it creates.

Contribution

Who should implement this feature ? are you volunteering for implementing this feature or
do you know that is able and willing implement this feature ?

vertx-dependencies dependencyManagement section has references to multiple vertx artifacts that do not exist -

io.vertx:vertx-consul
io.vertx:vertx-mongo
io.vertx:vertx-mail
io.vertx:vertx-jgroups (last released 3.5.0.Beta1)
io.vertx:vertx-maven-service-factory-parent (last released 3.1.0)

I checked on maven central and they were last released for version 3.5.1 (unless stated along side the artifact) and are still in the 3.5.3 branch and master (3.6) so I guess they were never removed when the projects changed.

Vert.x 4.4.5 appears to have a dependency on jackson-core 2.15.0, which introduced a breaking change in the default max String value length (FasterXML/jackson-core#1014).

Would you please consider updating the jackson-core dependency in a future release?

Bumps:

• 4.1.68.Final
• 2.0.43.Final

Fixes

• CVE-2021-37136 (Vert.x not affected)
• CVE-2021-37137 (Vert.x not affected)