Update package dependencies with security vulnerabilities #1081

alicejgibbons · 2024-07-19T09:02:16Z

Packages with High security vulnerabilities in SDK version 1.11.0:

dapr-sdk-springboot:

org.springframework spring-web-5.3.25 -> 6.1.5 CWE-502
org.springframework.boot spring-boot-autoconfigure 2.7.8 -> 3.3.1 CWE-400

dapr-sdk, dapr-sdk-springboot, dapr-sdk-actors:

com.squareup.okio okio-2.8.0 -> 3.9.0 CWE-681
org.jetbrains.kotlin kotlin-stdlib 1.4.10 -> 2.0.0 CWE-667

Release Note

RELEASE NOTE: UPDATE Package dependencies.

salaboy · 2024-07-19T09:48:29Z

All these packages had been for the upcoming 1.12.0 release, as spring boot version was upgraded to 3.2.6.

com.squareup.okio okio-2.8.0 and org.jetbrains.kotlin kotlin-stdlib 1.4.10 were removed.

artur-ciocanu · 2024-08-30T13:34:38Z

@alicejgibbons we have upgraded recently everything to Spring Boot 3.2+ and Spring Boot 3.3+ so we shouldn't have any high security vulnerabilities, but do let us know if you still see any offending dependencies and we will take care, otherwise we can mark this issue as resolved.

Thank you! 🙇

alicejgibbons · 2024-08-30T19:38:51Z

Thanks for your hard work @artur-ciocanu, closing as completed!

alicejgibbons added the kind/bug Something isn't working label Jul 19, 2024

alicejgibbons closed this as completed Aug 30, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update package dependencies with security vulnerabilities #1081

Update package dependencies with security vulnerabilities #1081

alicejgibbons commented Jul 19, 2024

salaboy commented Jul 19, 2024

artur-ciocanu commented Aug 30, 2024

alicejgibbons commented Aug 30, 2024

Update package dependencies with security vulnerabilities #1081

Update package dependencies with security vulnerabilities #1081

Comments

alicejgibbons commented Jul 19, 2024

Release Note

salaboy commented Jul 19, 2024

artur-ciocanu commented Aug 30, 2024

alicejgibbons commented Aug 30, 2024