Merge branch 'kafbat:main' into issues/1324

Author: tub

.github/dependabot.yml

@@ -20,10 +20,19 @@ updates:
       update-types:
         - "patch"
         - "minor"
+      exclude-patterns:
+          - "org.springframework.boot:*"
+          - "io.spring.dependency-management"
+          # All netty references are temporary overwrites that must be set carefully
+          # We do not need dependabot to send pull requests
+          - "io.netty:*"    
     other-dependencies:
       exclude-patterns:
         - "org.springframework.boot:*"
         - "io.spring.dependency-management"
+        # All netty references are temporary overwrites that must be set carefully
+        # We do not need dependabot to send pull requests
+        - "io.netty:*"
       patterns:
         - "*"
       update-types:

.github/workflows/e2e-playwright-manual.yml

@@ -0,0 +1,22 @@
+name: "E2E: Playwright Manual run"
+on:
+  workflow_dispatch:
+    inputs:
+      sha:
+        description: Commit to run on
+        required: true
+        type: string
+
+permissions:
+  contents: read
+  checks: write
+  statuses: write
+
+jobs:
+  build-and-test:
+    uses: ./.github/workflows/e2e-playwright-run.yml
+    secrets: inherit
+    with:
+      sha: ${{ inputs.sha }}
+
+

.github/workflows/e2e-playwright-pr.yml

@@ -0,0 +1,27 @@
+name: "Playwright E2E: PR tests"
+on:
+  pull_request:
+    types: [ "opened", "reopened", "synchronize" ]
+    paths:
+      - "build.gradle"
+      - "gradle.properties"
+      - "settings.gradle"
+      - "gradle/libs.versions.toml"
+
+      - "contract/**"
+      - "api/**"
+      - "serde-api/**"
+      - "frontend/**"
+      - "e2e-playwright/**"
+
+permissions:
+  contents: read
+  checks: write
+  statuses: write
+
+jobs:
+  build-and-test:
+    uses: ./.github/workflows/e2e-playwright-run.yml
+    secrets: inherit
+    with:
+      sha: ${{ github.event.pull_request.head.sha }}

.github/workflows/e2e-playwright.yml renamed to .github/workflows/e2e-playwright-run.yml

@@ -1,9 +1,11 @@
-name: "E2E: Playwright Manual run"
+name: "E2E: Playwright"
+
 on:
-  workflow_dispatch:
-    sha:
-      required: true
-      type: string
+  workflow_call:
+    inputs:
+      sha:
+        required: true
+        type: string
 
 permissions:
   contents: read
@@ -30,6 +32,7 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: 18
+          cache: 'npm'
 
       - name: Install NPM dependencies
         working-directory: ./e2e-playwright

api/build.gradle

@@ -68,6 +68,10 @@ dependencies {
     // CVE Fixes
     implementation libs.apache.commons.compress
     implementation libs.okhttp3.logging.intercepter
+    // START Fixes https://www.cve.org/CVERecord?id=CVE-2025-58056 and https://www.cve.org/CVERecord?id=CVE-2025-58057
+    implementation libs.netty.codec
+    implementation libs.netty.codec.http
+    // END Fixes https://www.cve.org/CVERecord?id=CVE-2025-58056 and https://www.cve.org/CVERecord?id=CVE-2025-58057
     // CVE Fixes End
 
     implementation libs.modelcontextprotocol.spring.webflux

gradle/libs.versions.toml

@@ -1,6 +1,7 @@
 [versions]
 spring-boot = '3.5.5'
 nimbus-jose-jwt = '10.0.2'
+netty = '4.1.125.Final'
 
 aws-msk-auth = '2.3.0'
 azure-identity = '1.15.4'
@@ -149,3 +150,9 @@ prometheus-metrics-textformats = { module = 'io.prometheus:prometheus-metrics-ex
 prometheus-metrics-exporter-pushgateway  = { module = 'io.prometheus:prometheus-metrics-exporter-pushgateway', version.ref = 'prometheus'}
 
 snappy = {module = 'org.xerial.snappy:snappy-java', version = '1.1.10.7'}
+
+# CVE fixes
+# START Fixes https://www.cve.org/CVERecord?id=CVE-2025-58056 and https://www.cve.org/CVERecord?id=CVE-2025-58057
+netty-codec = {module = 'io.netty:netty-codec', version.ref = 'netty'}
+netty-codec-http = {module = 'io.netty:netty-codec-http', version.ref = 'netty'}
+# END Fixes https://www.cve.org/CVERecord?id=CVE-2025-58056 and https://www.cve.org/CVERecord?id=CVE-2025-58057