Merge branch 'main' into fix/broder-settings

germanosin · web-flow · commit 5d8c2288a331 · 2025-07-14T10:34:43.000+02:00
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -2,6 +2,7 @@
 
 
 # BACKEND
+gradle/libs.versions.toml   @kafbat/backend
 /build.gradle               @kafbat/backend
 /gradle.properties          @kafbat/backend
 /settings.gradle            @kafbat/backend
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -7,8 +7,6 @@ updates:
     interval: weekly
     time: "10:00"
     timezone: Europe/London
-  reviewers:
-    - "kafbat/backend"
   open-pull-requests-limit: 10
   labels:
     - "type/dependencies"
@@ -27,8 +25,6 @@ updates:
     interval: weekly
     time: "10:00"
     timezone: Europe/London
-  reviewers:
-    - "kafbat/backend"
   open-pull-requests-limit: 10
   ignore:
   - dependency-name: "azul/zulu-openjdk-alpine"
@@ -43,8 +39,6 @@ updates:
     interval: weekly
     time: "10:00"
     timezone: Europe/London
-  reviewers:
-    - "kafbat/frontend"
   open-pull-requests-limit: 10
   versioning-strategy: increase-if-necessary
   labels:
@@ -64,8 +58,6 @@ updates:
     interval: weekly
     time: "10:00"
     timezone: Europe/London
-  reviewers:
-    - "kafbat/devops"
   open-pull-requests-limit: 10
   labels:
     - "type/dependencies"
diff --git a/api/build.gradle b/api/build.gradle
@@ -14,7 +14,12 @@ dependencies {
     implementation project(":contract")
     implementation project(":serde-api")
     implementation libs.spring.starter.webflux
-    implementation libs.spring.starter.security
+    implementation(libs.spring.starter.security){
+        exclude group: 'com.nimbusds', module: 'nimbus-jose-jwt' because("Temporary overwrite to fix CVE-2025-53864. See https://avd.aquasec.com/nvd/2025/cve-2025-53864/")
+    }
+    implementation(libs.nimbus.jose.jwt){
+        because("Fixes CVE-2025-5386. See https://avd.aquasec.com/nvd/2025/cve-2025-53864/")
+    }
     implementation libs.spring.starter.actuator
     implementation libs.spring.starter.logging
     implementation libs.spring.starter.oauth2.client
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -1,10 +1,11 @@
 [versions]
 spring-boot = '3.5.3'
+nimbus-jose-jwt = '10.0.2'
 
 aws-msk-auth = '2.3.0'
 azure-identity = '1.15.4'
 
-apache-commons-lang3 = '3.12.0'
+apache-commons-lang3 = '3.18.0'
 apache-commons-io = '2.18.0'
 apache-commons-pool2 = '2.12.1'
 apache-datasketches = '3.1.0'
@@ -60,6 +61,8 @@ spring-starter-actuator = { module = 'org.springframework.boot:spring-boot-start
 spring-starter-test = { module = 'org.springframework.boot:spring-boot-starter-test', version.ref = 'spring-boot' }
 spring-starter-webflux = { module = 'org.springframework.boot:spring-boot-starter-webflux', version.ref = 'spring-boot' }
 spring-starter-security = { module = 'org.springframework.boot:spring-boot-starter-security', version.ref = 'spring-boot' }
+# Temporary overwrite to fix CVE-2025-53864
+nimbus-jose-jwt = { module = 'com.nimbusds:nimbus-jose-jwt', version.ref = 'nimbus-jose-jwt' }
 spring-starter-validation = { module = 'org.springframework.boot:spring-boot-starter-validation', version.ref = 'spring-boot' }
 spring-starter-oauth2-client = { module = 'org.springframework.boot:spring-boot-starter-oauth2-client', version.ref = 'spring-boot' }
 spring-starter-logging = { module = 'org.springframework.boot:spring-boot-starter-logging', version.ref = 'spring-boot' }
