Skip to content

INS-1644 CVE Fixes#166

Merged
amattu2 merged 3 commits into
3.4.0from
340-cve-fixes
May 28, 2026
Merged

INS-1644 CVE Fixes#166
amattu2 merged 3 commits into
3.4.0from
340-cve-fixes

Conversation

@amattu2
Copy link
Copy Markdown
Contributor

@amattu2 amattu2 commented May 26, 2026

Overview

N/A

Change Details (Specifics)

N/A

Related Ticket(s)

INS-1644 (Task)

amattu2 added 3 commits May 18, 2026 14:13
@amattu2
Bump tomcat to 11.0.22
e7ffbd5
@amattu2
chore(deps): Bump dependencies for CVEs
bfe5621 
- spring-boot from 3.4.5 to 3.5.14
- io.netty_netty-codec from 4.1.125.Final to 4.1.133.Final
- org.apache.logging.log4j_log4j-core from 2.25.3 to 2.25.4
- spring-webmvc from 6.2.17 to 6.2.18
@amattu2
fix(deps): remove version for spring-boot-starter-log4j2 dependency
7532c27
@amattu2 amattu2 added this to the 3.4.0 milestone May 26, 2026
@amattu2 amattu2 temporarily deployed to ccdi-manager-nonprod May 26, 2026 17:43 — with GitHub Actions Inactive
@codacy-production
Copy link
Copy Markdown

codacy-production Bot commented May 26, 2026

Not up to standards ⛔

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@amattu2 amattu2 marked this pull request as ready for review May 28, 2026 17:43
Copilot AI review requested due to automatic review settings May 28, 2026 17:43
Copilot AI reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Routine CVE remediation PR that bumps several dependency and runtime versions. Spring Boot parent goes from 3.4.5 to 3.5.14, Spring Framework override from 6.2.17 to 6.2.18, Netty 4.1.125→4.1.133, Log4j 2.25.3→2.25.4, embedded Tomcat 11.0.21→11.0.22 (matching the Tomcat base image), and Spring REST Docs 3.0.3→3.0.5. The explicit version on spring-boot-starter-log4j2 is removed so it inherits from the (now newer) parent.

Changes:

  • Upgrade Spring Boot parent to 3.5.14 and align Spring Framework, REST Docs, Log4j, Netty, and embedded Tomcat versions for CVE fixes.
  • Drop the hardcoded version on spring-boot-starter-log4j2, deferring to the Spring Boot parent BOM.
  • Bump the Tomcat runtime base image to tomcat:11.0.22-jdk17 to match the embedded Tomcat dependency.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
pom.xml Version bumps for Spring Boot parent, Spring Framework, REST Docs, Log4j, Netty, and embedded Tomcat; removes explicit version on spring-boot-starter-log4j2.
Dockerfile Updates Tomcat base image from 11.0.21-jdk17 to 11.0.22-jdk17.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@amattu2 amattu2 merged commit 1f4358c into 3.4.0 May 28, 2026
4 of 5 checks passed
@amattu2 amattu2 deleted the 340-cve-fixes branch May 28, 2026 17:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

3.4.0

Development

Successfully merging this pull request may close these issues.

2 participants

@amattu2