Skip to content

MLE-24826 Bumping Spring, undertow for CVEs #1853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 22, 2025
Merged

MLE-24826 Bumping Spring, undertow for CVEs #1853

merged 1 commit into from
Oct 22, 2025

Conversation

@rjrudin
Copy link
Contributor

@rjrudin rjrudin commented Oct 22, 2025

Also bumped an old version of xmlunit. Pretty sure the junit:junit stuff can be easily removed next.

@rjrudin
MLE-24826 Bumping Spring, undertow for CVEs
47f0091 
Also bumped an old version of xmlunit. Pretty sure the junit:junit stuff can be easily removed next.
Copilot AI review requested due to automatic review settings October 22, 2025 18:04
@github-actions
Copy link

github-actions bot commented Oct 22, 2025

Copyright Validation Results
Total: 5 | Passed: 0 | Failed: 0 | Skipped: 5 | at: 2025-10-22 18:05:21 UTC | commit: 47f0091

⏭️ Skipped (Excluded) Files

  • build.gradle
  • marklogic-client-api-functionaltests/build.gradle
  • marklogic-client-api/build.gradle
  • ml-development-tools/build.gradle
  • test-app/build.gradle

✅ All files have valid copyright headers!

Copilot AI reviewed Oct 22, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request addresses security vulnerabilities by bumping versions of Spring dependencies (through transitives), Undertow, and XMLUnit libraries.

Key changes:

  • Updated Undertow from 2.3.19.Final to 2.3.20.Final to address CVEs
  • Migrated XMLUnit from legacy 1.6 to modern 2.10.4 with updated Maven coordinates
  • Updated JUnit Jupiter and ml-app-deployer dependencies to latest versions

Reviewed Changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.

File Description
test-app/build.gradle Updated Undertow core and servlet dependencies to version 2.3.20.Final
ml-development-tools/build.gradle Migrated from xmlunit:xmlunit:1.6 to org.xmlunit:xmlunit-legacy:2.10.4
marklogic-client-api/build.gradle Updated JUnit Jupiter to 5.14.0 and ml-app-deployer to 6.2-SNAPSHOT
marklogic-client-api-functionaltests/build.gradle Updated ml-app-deployer to 6.2-SNAPSHOT

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

marklogic-client-api/build.gradle

// Allows talking to the Manage API.
testImplementation "com.marklogic:ml-app-deployer:6.1.0"
testImplementation "com.marklogic:ml-app-deployer:6.2-SNAPSHOT"
Copy link

Copilot AI Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using a SNAPSHOT dependency in production code introduces instability, as the artifact can change without notice. Consider using a stable release version instead, or document why a SNAPSHOT is required.

Suggested change
testImplementation "com.marklogic:ml-app-deployer:6.2-SNAPSHOT"
testImplementation "com.marklogic:ml-app-deployer:6.2.0"

Copilot uses AI. Check for mistakes.
marklogic-client-api-functionaltests/build.gradle
testImplementation 'org.apache.commons:commons-lang3:3.19.0'

testImplementation "com.marklogic:ml-app-deployer:6.1.0"
testImplementation "com.marklogic:ml-app-deployer:6.2-SNAPSHOT"
Copy link

Copilot AI Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using a SNAPSHOT dependency in production code introduces instability, as the artifact can change without notice. Consider using a stable release version instead, or document why a SNAPSHOT is required.

Suggested change
testImplementation "com.marklogic:ml-app-deployer:6.2-SNAPSHOT"
testImplementation "com.marklogic:ml-app-deployer:6.2.0"

Copilot uses AI. Check for mistakes.
@rjrudin rjrudin merged commit 6f321dd into develop Oct 22, 2025
3 checks passed
@rjrudin rjrudin deleted the feature/bump branch October 22, 2025 18:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@anu3990 anu3990 Awaiting requested review from anu3990 anu3990 is a code owner

@BillFarber BillFarber Awaiting requested review from BillFarber BillFarber is a code owner

@stevebio stevebio Awaiting requested review from stevebio stevebio is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rjrudin