fix: trying to fix CVE-2025-24970

[ghostroot007]

Status

READY

Commit Message

Bumped vertx version to the latest stable release in pom.xml to address High severity vulnerability CVE-2025-24970

Commit Message Description

Contributes to: fixing CVE-2025-24970
Closes: CVE-2025-24970

Signed-off-by: Ajaykrishna J <iamajaykrishnaj@gmail.com>

• The reviewer should copy the above text into the extended description field when performing the squash and merge from this page.

Checklist

• Automated tests exist
• Documentation exists link
• Local unit tests performed
• Sufficient logging/trace
• Desired commit message set as PR title and commit description set above

[dalelane]

verified locally - looks good

[dalelane]

commit message isn't compliant, but I can fix that when I merge

I'll wait for the build & test check to pass before I do that

[dalelane]

build failure - almost certainly unrelated to the specific change in the PR

Error:  Failed to execute goal org.apache.maven.plugins:maven-resources-plugin:3.3.1:resources 
(default-resources) on project demo: 
filtering /home/runner/work/kafka-java-vertx-starter/kafka-java-vertx-starter/src/main/resources/webroot/fonts/IBMPlexSans-Text-Pi.woff2 to 
/home/runner/work/kafka-java-vertx-starter/kafka-java-vertx-starter/target/classes/webroot/fonts/IBMPlexSans-Text-Pi.woff2 
failed with MalformedInputException: Input length = 1 -> [Help 1]
Error:  
Error:  To see the full stack trace of the errors, re-run Maven with the -e switch.
Error:  Re-run Maven using the -X switch to enable full debug logging.
Error:  
Error:  For more information about the errors and possible solutions, please read the following articles:
Error:  [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
Error: Process completed with exit code 1.

[aswinayyolath]

@ghostroot007

I run mvn verify locally and I can see the same error... Not related to PR though.. I'm running mvn verify from main branch

I am not sure if we really want filtering for binary files like fonts or images etc... I tried disabling filtering by adding

          <excludes>
               <exclude>**/*.woff2</exclude>
               <exclude>**/*.woff</exclude>
          </excludes>

and it looks like the problem is gone

This is the diff

Not completely sure if this is the right thing to do... but take advise from Dale and proceed

[aswinayyolath]

mvn verify in my local might be showing issues due to mvn and java version issues as I can see there was no issues for Dale verifying it locally

Aswin 🔥🔥🔥 $ java --version
java 17.0.10 2024-01-16 LTS
Java(TM) SE Runtime Environment (build 17.0.10+11-LTS-240)
Java HotSpot(TM) 64-Bit Server VM (build 17.0.10+11-LTS-240, mixed mode, sharing)
Aswin 🔥🔥🔥 $
Aswin 🔥🔥🔥 $ mvn -v
Apache Maven 3.9.7 (8b094c9513efc1b9ce2d952b3b9c8eaedaf8cbf0)
Maven home: /Users/aswina/Downloads/apache-maven-3.9.7
Java version: 17.0.10, vendor: Oracle Corporation, runtime: /Library/Java/JavaVirtualMachines/jdk-17.jdk/Contents/Home
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "15.3.2", arch: "aarch64", family: "mac"
Aswin 🔥🔥🔥 $

[dalelane]

@ghostroot007 Please verify that the app builds correctly with that change by running it, and checking that the fonts are correctly rendered in the browser

[ghostroot007]

Verified locally - mvn verify

[aswinayyolath]

Yeah looks good... can you also verify that the fonts are rendered properly in the browser by running the starter application ?

[aswinayyolath]

package-lock.json changes under .github/actions are unnecessary pls revert them and push..

[ghostroot007]

Yes, I’ve reverted the unintended changes to those files. I ran mvn clean followed by mvn verify, and amended the previous commit message. After pushing the changes, I noticed updates to some package-lock.json files. I suspect these were caused by a Git hook (likely Husky) that ran while editing the commit message. In any case, I’ve now reverted those changes.

[ghostroot007]

can you also verify that the fonts are rendered properly in the browser by running the starter application ?

@aswinayyolath I've verified this locally after excluding the WOFF binaries from filtering, and I didn't observe any UI breakages.

[aswinayyolath]

Yeah looks good