From 6d78bce0de6b19b6d55b89eb1a9465c3c6079edb Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Wed, 13 Sep 2023 09:25:30 -0500 Subject: [PATCH 01/13] Disable codecov from failing CI if there is an upload issue (#3353) ### Description Seeing a ton of CI failures due to code coverage upload failures. I'd like to fix this - but I'd rather keep the builds flowing in until we have a better solution. E.g: https://github.com/opensearch-project/security/actions/runs/6153593099/job/16697726519?pr=3339 - Related https://github.com/opensearch-project/security/issues/2649 ### Check List - [ ] New functionality includes testing - [ ] New functionality has been documented - [X] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). Signed-off-by: Peter Nied --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f6f9aa66d3..71a4bd1b00 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -67,7 +67,7 @@ jobs: action: codecov/codecov-action@v3 with: | token: ${{ secrets.CODECOV_TOKEN }} - fail_ci_if_error: true + fail_ci_if_error: false files: ./build/reports/jacoco/test/jacocoTestReport.xml - uses: actions/upload-artifact@v3 From 1c0a0505851bcbffb0f85143e44b802debaebb07 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Sep 2023 09:45:21 -0500 Subject: [PATCH 02/13] dependabot: bump org.springframework.kafka:spring-kafka-test from 2.9.11 to 2.9.12 (#3341) Bumps [org.springframework.kafka:spring-kafka-test](https://github.com/spring-projects/spring-kafka) from 2.9.11 to 2.9.12. Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 37fcf5f4a1..327831c9fe 100644 --- a/build.gradle +++ b/build.gradle @@ -592,7 +592,7 @@ dependencies { testImplementation "org.apache.kafka:kafka-group-coordinator:${kafka_version}" testImplementation "org.apache.kafka:kafka_2.13:${kafka_version}:test" testImplementation "org.apache.kafka:kafka-clients:${kafka_version}:test" - testImplementation 'org.springframework.kafka:spring-kafka-test:2.9.11' + testImplementation 'org.springframework.kafka:spring-kafka-test:2.9.12' testImplementation 'org.springframework:spring-beans:5.3.20' testImplementation 'org.junit.jupiter:junit-jupiter:5.10.0' testImplementation 'org.junit.jupiter:junit-jupiter-api:5.10.0' From 88f0272ef971cda93500a5be9b12aa58689ebaac Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Sep 2023 09:45:36 -0500 Subject: [PATCH 03/13] dependabot: bump actions/checkout from 3 to 4 (#3340) Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/auto-release.yml | 2 +- .github/workflows/ci.yml | 12 ++++++------ .github/workflows/code-hygiene.yml | 10 +++++----- .github/workflows/integration-tests.yml | 2 +- .github/workflows/maven-publish.yml | 2 +- .github/workflows/plugin_install.yml | 2 +- 6 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index ca0a797f42..7a3a250ba0 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -21,7 +21,7 @@ jobs: - name: Get tag id: tag uses: dawidd6/action-get-tag@v1 - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: ncipollo/release-action@v1 with: github_token: ${{ steps.github_app_token.outputs.token }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 71a4bd1b00..d5d5e3430d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,7 +24,7 @@ jobs: java-version: 17 - name: Checkout security - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Generate list of tasks id: set-matrix @@ -50,7 +50,7 @@ jobs: java-version: ${{ matrix.jdk }} - name: Checkout security - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build and Test uses: gradle/gradle-build-action@v2 @@ -98,7 +98,7 @@ jobs: java-version: ${{ matrix.jdk }} - name: Checkout security - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build and Test uses: gradle/gradle-build-action@v2 @@ -123,7 +123,7 @@ jobs: java-version: ${{ matrix.jdk }} - name: Checkout Security Repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 - id: build-previous uses: ./.github/actions/run-bwc-suite @@ -137,7 +137,7 @@ jobs: code-ql: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-java@v3 with: distribution: temurin # Temurin is a distribution of adoptium @@ -151,7 +151,7 @@ jobs: build-artifact-names: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-java@v3 with: diff --git a/.github/workflows/code-hygiene.yml b/.github/workflows/code-hygiene.yml index f4b39f9562..7aca45f064 100644 --- a/.github/workflows/code-hygiene.yml +++ b/.github/workflows/code-hygiene.yml @@ -8,7 +8,7 @@ jobs: name: Check if all files end in newline steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Linelint uses: fernandrone/linelint@0.0.6 @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest name: Spotless scan steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-java@v3 with: @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-latest name: Checkstyle scan steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-java@v3 with: @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-latest name: Spotbugs scan steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-java@v3 with: @@ -65,7 +65,7 @@ jobs: runs-on: ubuntu-latest name: Check permissions orders steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - run: npm install yaml - name: Check permissions order diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 201cbe3491..eb11d0e478 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -20,7 +20,7 @@ jobs: distribution: temurin # Temurin is a distribution of adoptium java-version: ${{ matrix.jdk }} - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - run: OPENDISTRO_SECURITY_TEST_OPENSSL_OPT=true ./gradlew test diff --git a/.github/workflows/maven-publish.yml b/.github/workflows/maven-publish.yml index ad10199ad0..ac0e714674 100644 --- a/.github/workflows/maven-publish.yml +++ b/.github/workflows/maven-publish.yml @@ -21,7 +21,7 @@ jobs: with: distribution: temurin # Temurin is a distribution of adoptium java-version: 11 - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: aws-actions/configure-aws-credentials@v3 with: role-to-assume: ${{ secrets.PUBLISH_SNAPSHOTS_ROLE }} diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index dc598d79a0..5bfce0248b 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -23,7 +23,7 @@ jobs: java-version: ${{ matrix.jdk }} - name: Checkout Branch - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Assemble target plugin uses: gradle/gradle-build-action@v2 From fdd64a9fc91c343ebd8c93a327f5c3c825acbb1d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Sep 2023 10:17:29 -0500 Subject: [PATCH 04/13] dependabot: bump org.scala-lang:scala-library from 2.13.11 to 2.13.12 (#3344) Bumps [org.scala-lang:scala-library](https://github.com/scala/scala) from 2.13.11 to 2.13.12. Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index 327831c9fe..d694281fcb 100644 --- a/build.gradle +++ b/build.gradle @@ -418,7 +418,7 @@ configurations { resolutionStrategy { force 'commons-codec:commons-codec:1.16.0' force 'org.slf4j:slf4j-api:1.7.36' - force 'org.scala-lang:scala-library:2.13.11' + force 'org.scala-lang:scala-library:2.13.12' force "com.fasterxml.jackson:jackson-bom:${versions.jackson}" force "com.fasterxml.jackson.core:jackson-core:${versions.jackson}" force "com.fasterxml.jackson.datatype:jackson-datatype-jdk8:${versions.jackson}" @@ -608,7 +608,7 @@ dependencies { testRuntimeOnly ('org.springframework:spring-core:5.3.29') { exclude(group:'org.springframework', module: 'spring-jcl' ) } - testRuntimeOnly 'org.scala-lang:scala-library:2.13.11' + testRuntimeOnly 'org.scala-lang:scala-library:2.13.12' testRuntimeOnly 'com.yammer.metrics:metrics-core:2.2.0' testRuntimeOnly 'com.typesafe.scala-logging:scala-logging_3:3.9.5' testRuntimeOnly 'org.apache.zookeeper:zookeeper:3.7.1' From cacb9facab48b6ad3520f802450e8e8264af87bd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Sep 2023 10:17:53 -0500 Subject: [PATCH 05/13] dependabot: bump org.springframework:spring-beans from 5.3.20 to 5.3.29 (#3342) Bumps [org.springframework:spring-beans](https://github.com/spring-projects/spring-framework) from 5.3.20 to 5.3.29. Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index d694281fcb..16880ec5f4 100644 --- a/build.gradle +++ b/build.gradle @@ -593,7 +593,7 @@ dependencies { testImplementation "org.apache.kafka:kafka_2.13:${kafka_version}:test" testImplementation "org.apache.kafka:kafka-clients:${kafka_version}:test" testImplementation 'org.springframework.kafka:spring-kafka-test:2.9.12' - testImplementation 'org.springframework:spring-beans:5.3.20' + testImplementation 'org.springframework:spring-beans:5.3.29' testImplementation 'org.junit.jupiter:junit-jupiter:5.10.0' testImplementation 'org.junit.jupiter:junit-jupiter-api:5.10.0' // Only osx-x86_64, osx-aarch_64, linux-x86_64, linux-aarch_64, windows-x86_64 are available From eac5c00bdc80d0b4e7eb99f379ca038dc1a72a0d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Sep 2023 11:53:02 -0400 Subject: [PATCH 06/13] dependabot: bump tibdex/github-app-token from 1.8.2 to 2.0.0 (#3339) Bumps [tibdex/github-app-token](https://github.com/tibdex/github-app-token) from 1.8.2 to 2.0.0. Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/auto-release.yml | 2 +- .github/workflows/backport.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index 7a3a250ba0..51f9aa8299 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -13,7 +13,7 @@ jobs: steps: - name: GitHub App token id: github_app_token - uses: tibdex/github-app-token@v1.8.2 + uses: tibdex/github-app-token@v2.0.0 with: app_id: ${{ secrets.APP_ID }} private_key: ${{ secrets.APP_PRIVATE_KEY }} diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 4a19e107c2..030c51d9cc 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -16,7 +16,7 @@ jobs: steps: - name: GitHub App token id: github_app_token - uses: tibdex/github-app-token@v1.8.2 + uses: tibdex/github-app-token@v2.0.0 with: app_id: ${{ secrets.APP_ID }} private_key: ${{ secrets.APP_PRIVATE_KEY }} From 2ad8272b8f1df1ba439de85dc9e27cff4c752077 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Sep 2023 17:54:04 +0200 Subject: [PATCH 07/13] dependabot: bump com.nulab-inc:zxcvbn from 1.8.0 to 1.8.2 (#3343) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [com.nulab-inc:zxcvbn](https://github.com/nulab/zxcvbn4j) from 1.8.0 to 1.8.2.
Release notes

Sourced from com.nulab-inc:zxcvbn's releases.

1.8.2

What's Changed

Full Changelog: https://github.com/nulab/zxcvbn4j/compare/1.8.1...1.8.2

1.8.1

What's Changed

Full Changelog: https://github.com/nulab/zxcvbn4j/compare/1.8.0...1.8.1

Changelog

Sourced from com.nulab-inc:zxcvbn's changelog.

1.8.2 (2023-08-21)

  • fix: fix the discrepancy in password guesses between zxcvbn and zxcvbn4j #151 (vvatanabe)
  • style: format all with google-java-format #150 (vvatanabe)
  • refactor: refactoring matchers.Match #149 (vvatanabe)
  • refactor: refactoring matchers.OmnibusMatcher #148 (vvatanabe)

1.8.1 (2023-08-18)

Commits
  • 763c214 1.8.2
  • 1b31a17 Merge pull request #151 from nulab/fix-the-discrepancy-in-password-guesses-be...
  • 44dda11 fix: fix the discrepancy in password guesses between zxcvbn and zxcvbn4j (#105)
  • a213a44 Merge pull request #150 from nulab/apply-google-java-format
  • 0347d6e style: format all with google-java-format
  • a90235c Merge pull request #149 from nulab/refactoring-Match
  • 3d44718 refactor: refactoring matchers.Match
  • e733acd style: format code and optimize imports in matchers.Match
  • a677ae3 Merge pull request #148 from nulab/refactoring-OmnibusMatcher
  • a8024dc refactor: refactoring matchers.OmnibusMatcher
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.nulab-inc:zxcvbn&package-manager=gradle&previous-version=1.8.0&new-version=1.8.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 16880ec5f4..1f3d9a189a 100644 --- a/build.gradle +++ b/build.gradle @@ -548,7 +548,7 @@ dependencies { runtimeOnly "org.opensaml:opensaml-soap-impl:${open_saml_version}" implementation "org.opensaml:opensaml-storage-api:${open_saml_version}" - implementation "com.nulab-inc:zxcvbn:1.8.0" + implementation "com.nulab-inc:zxcvbn:1.8.2" runtimeOnly 'com.google.guava:failureaccess:1.0.1' runtimeOnly 'org.apache.commons:commons-text:1.10.0' From 283c3be8244dff5d6efc19ec10e82e81098dee4f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 08:16:13 -0400 Subject: [PATCH 08/13] dependabot: bump org.apache.ws.xmlschema:xmlschema-core from 2.3.0 to 2.3.1 (#3368) Bumps org.apache.ws.xmlschema:xmlschema-core from 2.3.0 to 2.3.1. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.apache.ws.xmlschema:xmlschema-core&package-manager=gradle&previous-version=2.3.0&new-version=2.3.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 1f3d9a189a..afdbd011ba 100644 --- a/build.gradle +++ b/build.gradle @@ -563,7 +563,7 @@ dependencies { runtimeOnly 'org.codehaus.woodstox:stax2-api:4.2.1' runtimeOnly "org.glassfish.jaxb:txw2:${jaxb_version}" runtimeOnly 'com.fasterxml.woodstox:woodstox-core:6.5.1' - runtimeOnly 'org.apache.ws.xmlschema:xmlschema-core:2.3.0' + runtimeOnly 'org.apache.ws.xmlschema:xmlschema-core:2.3.1' runtimeOnly 'org.apache.santuario:xmlsec:2.3.3' runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}" runtimeOnly 'org.checkerframework:checker-qual:3.36.0' From bec360afd7973c7acff8e92e34906d241c72affd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 08:17:49 -0400 Subject: [PATCH 09/13] dependabot: bump aws-actions/configure-aws-credentials from 3 to 4 (#3370) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 3 to 4.
Release notes

Sourced from aws-actions/configure-aws-credentials's releases.

v4

This tag tracks the latest v4.x.x release

v4.0.0

See the changelog for details about the changes included in this release.

v3.0.2

See the changelog for details about the changes included in this release.

v3.0.1

See the changelog for details about the changes included in this release.

Changelog

Sourced from aws-actions/configure-aws-credentials's changelog.

3.0.1 (2023-08-24)

Features

  • Can configure special-characters-workaround to keep retrying credentials if the returned credentials have special characters (Fixes #599)

Bug Fixes

Changes to existing functionality

  • Special characters are now allowed in returned credential variables unless you configure the special-characters-workaround option

3.0.0 (2023-08-21)

Features

  • Can configure max-retries and disable-retry to modify retry functionality when the assume role call fails
  • Set returned credentials as step outputs with output-credentials
  • Clear AWS related environment variables at the start of the action with unset-current-credentials
  • Unique role identifier is now printed in the workflow logs

Bug Fixes

  • Can't use credentials if they contain a special character
  • Retry functionality added when generating the JWT fails
  • Can now use webIdentityTokenFile option
  • Branch name validation too strict
  • JS SDK v2 deprecation warning in workflow logs

Changes to existing functionality

  • Default session duration is now 1 hour in all cases (from 6 hours in some cases)
  • Account ID will not be masked by default in logs
Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=aws-actions/configure-aws-credentials&package-manager=github_actions&previous-version=3&new-version=4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/maven-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/maven-publish.yml b/.github/workflows/maven-publish.yml index ac0e714674..1d904020ca 100644 --- a/.github/workflows/maven-publish.yml +++ b/.github/workflows/maven-publish.yml @@ -22,7 +22,7 @@ jobs: distribution: temurin # Temurin is a distribution of adoptium java-version: 11 - uses: actions/checkout@v4 - - uses: aws-actions/configure-aws-credentials@v3 + - uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ secrets.PUBLISH_SNAPSHOTS_ROLE }} aws-region: us-east-1 From 558f47e622efa9de1c352feaefcf33c588dcb020 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 14:19:35 +0200 Subject: [PATCH 10/13] dependabot: bump apache_cxf_version from 4.0.2 to 4.0.3 (#3365) Bumps `apache_cxf_version` from 4.0.2 to 4.0.3. Updates `org.apache.cxf:cxf-rt-rs-security-jose` from 4.0.2 to 4.0.3 Updates `org.apache.cxf:cxf-core` from 4.0.2 to 4.0.3 Updates `org.apache.cxf:cxf-rt-rs-json-basic` from 4.0.2 to 4.0.3 Updates `org.apache.cxf:cxf-rt-security` from 4.0.2 to 4.0.3 Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index afdbd011ba..85deff1b81 100644 --- a/build.gradle +++ b/build.gradle @@ -26,7 +26,7 @@ buildscript { common_utils_version = System.getProperty("common_utils.version", '3.0.0.0-SNAPSHOT') kafka_version = '3.5.1' - apache_cxf_version = '4.0.2' + apache_cxf_version = '4.0.3' open_saml_version = '4.3.0' one_login_java_saml = '2.9.0' jjwt_version = '0.11.5' From 660e2da1fada1fcf949233a79bfddb2adb280e45 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 14:20:23 +0200 Subject: [PATCH 11/13] dependabot: bump org.springframework:spring-beans from 5.3.29 to 5.3.30 (#3366) Bumps [org.springframework:spring-beans](https://github.com/spring-projects/spring-framework) from 5.3.29 to 5.3.30.
Release notes

Sourced from org.springframework:spring-beans's releases.

v5.3.30

:star: New Features

  • Optimize ClassUtils#getMostSpecificMethod #31100
  • Optimize whitespace checks in StringUtils #31069
  • Align validation metadata handling in PayloadMethodArgumentResolver #31056
  • Register an override for an existing adapter in ReactiveAdapterRegistry #31048
  • Make bean initialization deterministic for multiple @Autowired methods on same bean class #30994
  • Performance bottlenecks while creating scoped bean instances #30892

:lady_beetle: Bug Fixes

  • Possible classloader leak through incomplete clearing of annotation caches #31176
  • Spring LogFactory implementation deviates from original Apache LogFactory in terms of abstract method declarations #31167
  • Bean injection fails due to nullSafeConciseToString() invoking isEmpty() on a Map/Collection proxy #31156
  • SpelExpressionParser throws IllegalStateException instead of ParseException for invalid expression #31099
  • @DynamicPropertySource in @Nested test class cannot override dynamic properties from enclosing class #31085
  • TransactionalApplicationListenerMethodAdapter should find @TransactionalEventListener on target class method #31037
  • ScheduledAnnotationBeanPostProcessor: graceful shutdown should not interrupt currently running jobs #31020
  • Permgen memory leak due to ClassInfo caching in java.beans.Introspector on JDK 11/17 #31005
  • MethodIntrospector.selectMethods(?) fails to find methods in case of special bridge method arrangement #30907

:notebook_with_decorative_cover: Documentation

  • Fix documentation: Passing in Lists of Values for IN Clause does not work with JdbcTemplate #31229
  • Refine CORS documentation for wildcard processing #31168
  • Propagation REQUIRES_NEW may cause connection pool deadlock #31040
  • Clarify R2DBC ConnectionAccessor and DatabasePopulator exception declarations #30933
  • Doc: Avoid deadlock in @PostConstruct through SmartInitializingSingleton or ContextRefreshedEvent #30889
Commits
  • e5d99ec Release v5.3.30
  • f7bf243 Clarify IN clause resolution with List/Iterable parameter
  • 40678bb Refine CORS documentation for wildcard processing
  • 75faf69 Refine CORS documentation for wildcard processing
  • 39c225c AnnotationUtils.clearCache() includes all annotation caches
  • 0c3d8d7 Align abstract method signatures with original Commons Logging API
  • ddcae04 Do not invoke [Map|Collection].isEmpty() in nullSafeConciseToString()
  • 994bbec Polishing
  • afb378a Consistently throw ParseException instead of IllegalStateException
  • a4fc7d3 Optimize ClassUtils#getMostSpecificMethod
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.springframework:spring-beans&package-manager=gradle&previous-version=5.3.29&new-version=5.3.30)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 85deff1b81..6a7ee7b78a 100644 --- a/build.gradle +++ b/build.gradle @@ -593,7 +593,7 @@ dependencies { testImplementation "org.apache.kafka:kafka_2.13:${kafka_version}:test" testImplementation "org.apache.kafka:kafka-clients:${kafka_version}:test" testImplementation 'org.springframework.kafka:spring-kafka-test:2.9.12' - testImplementation 'org.springframework:spring-beans:5.3.29' + testImplementation 'org.springframework:spring-beans:5.3.30' testImplementation 'org.junit.jupiter:junit-jupiter:5.10.0' testImplementation 'org.junit.jupiter:junit-jupiter-api:5.10.0' // Only osx-x86_64, osx-aarch_64, linux-x86_64, linux-aarch_64, windows-x86_64 are available From e61e8d4f77b0dc1ac5db2829d56629159c354900 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 14:25:05 +0200 Subject: [PATCH 12/13] dependabot: bump com.github.wnameless.json:json-flattener from 0.16.5 to 0.16.6 (#3369) Bumps [com.github.wnameless.json:json-flattener](https://github.com/wnameless/json-flattener) from 0.16.5 to 0.16.6.
Changelog

Sourced from com.github.wnameless.json:json-flattener's changelog.

Version 0.1.0

  • First release

Version 0.1.1

  • Fix minimal-json parsing double value(ex:6.0) error

Version 0.1.2

  • Fix the bug of empty array or empty object disappearing after flattening

Version 0.1.3

  • Fix the bug of objects unflattening in reversed indexed array(ex: {"List[1].type":"B","List[0].type":"A"})

Version 0.1.4

  • Fix the bug of reversed indexed arrays unflattening(ex: {"[1][1]":"B","[0][0]":"A"})
  • Fix the bug of init complex key unflattening(ex: {"["b.b"].aaa":123})

Version 0.1.5

  • Escape JSON special characters in flattened JSON keys, values and Java Map keys but not in Java Map values

Version 0.1.6

  • For ease of use, Unicode characters aren't escaped anymore

Version 0.2.0

  • Add FlattenMode
  • Add StringEscapePolicy
  • Add separator config
  • Add PrintMode

Version 0.2.1

  • Remove internal cache
  • Add missing hashCode, equals and toString to JsonUnflattener
  • Fix the stack overflow bug in KEEP_ARRAYS mode when null value occurs

Version 0.2.2

  • Fix the stack overflow bug in KEEP_ARRAYS mode when empty object occurs

Version 0.2.3

  • Fix internal JsonFlattener state inheritance bug during instantiation

Version 0.2.4

  • Fix the bug of wrong output if ROOT value shows in source object

Version 0.3.0

  • Support Reader as inputs
  • Add #withLeftAndRightBrackets

Version 0.4.0

  • Add FlattenMode.MONGODB
  • Add #withKeyTransformer

... (truncated)

Commits
  • 5cb34f5 [maven-release-plugin] prepare release json-flattener-0.16.6
  • 1b0c1c3 Upgrade release-notes
  • a42ddaf Upgrade json-base for precise scale of the float number
  • e8f5f71 [maven-release-plugin] prepare for next development iteration
  • See full diff in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.github.wnameless.json:json-flattener&package-manager=gradle&previous-version=0.16.5&new-version=0.16.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 6a7ee7b78a..e4a8632588 100644 --- a/build.gradle +++ b/build.gradle @@ -499,7 +499,7 @@ dependencies { exclude group: "com.google.code.gson", module: "gson" exclude group: "org.json", module: "json" } - implementation 'com.github.wnameless.json:json-flattener:0.16.5' + implementation 'com.github.wnameless.json:json-flattener:0.16.6' // JSON patch implementation 'com.flipkart.zjsonpatch:zjsonpatch:0.4.14' implementation 'org.apache.commons:commons-collections4:4.4' From 5e0ab680a99cf5e8ad7b08b1d9752a15692a96ff Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 08:42:44 -0500 Subject: [PATCH 13/13] dependabot: bump org.checkerframework:checker-qual from 3.36.0 to 3.38.0 (#3367) Bumps [org.checkerframework:checker-qual](https://github.com/typetools/checker-framework) from 3.36.0 to 3.38.0. Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index e4a8632588..dc443e97bf 100644 --- a/build.gradle +++ b/build.gradle @@ -566,7 +566,7 @@ dependencies { runtimeOnly 'org.apache.ws.xmlschema:xmlschema-core:2.3.1' runtimeOnly 'org.apache.santuario:xmlsec:2.3.3' runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}" - runtimeOnly 'org.checkerframework:checker-qual:3.36.0' + runtimeOnly 'org.checkerframework:checker-qual:3.38.0' runtimeOnly "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}" runtimeOnly 'org.scala-lang.modules:scala-java8-compat_3:1.0.2'