Conversation
…ce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGHIBERNATE-15038759 - https://snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-15062482
There was a problem hiding this comment.
Pull request overview
Updates Maven dependency versions to remediate 2 Snyk-reported vulnerabilities (Logback and Hibernate).
Changes:
- Bump Logback version in the root
pom.xml(plus minor XML self-closing tag cleanup). - Bump Hibernate Core version in
persistence-modules/spring-hibernate-3/pom.xml.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| pom.xml | Updates Logback version property (and minor lifecycle-mapping XML formatting). |
| persistence-modules/spring-hibernate-3/pom.xml | Updates Hibernate version property for the Spring/Hibernate module. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| <!-- logging --> | ||
| <org.slf4j.version>1.7.32</org.slf4j.version> | ||
| <logback.version>1.2.6</logback.version> | ||
| <logback.version>1.5.25</logback.version> |
There was a problem hiding this comment.
Bumping logback to 1.5.25 while keeping org.slf4j.version at 1.7.32 is very likely incompatible: newer Logback lines are built to work with SLF4J 2.x and can fail at runtime (e.g., missing SLF4J service provider classes) when forced onto SLF4J 1.7 via dependency management. Align the SLF4J + Logback versions (upgrade SLF4J accordingly, or pick a Logback version that is compatible with SLF4J 1.7 / Java 8).
| <logback.version>1.5.25</logback.version> | |
| <logback.version>1.2.13</logback.version> |
| <javassist.version>3.21.0-GA</javassist.version> | ||
| <!-- persistence --> | ||
| <hibernate.version>3.6.10.Final</hibernate.version> | ||
| <hibernate.version>5.3.38.Final</hibernate.version> |
There was a problem hiding this comment.
Upgrading hibernate-core from 3.6 to 5.3 in this module is inconsistent with the rest of the module, which is explicitly built around Spring's org.springframework.orm.hibernate3.* integration and Hibernate 3 configuration (e.g., hibernate-configuration-3.0.dtd). With Hibernate 5.3 this setup is expected to break; to make this upgrade work you’ll need to migrate the Spring integration/configuration to the Hibernate 5 variant (e.g., Spring ORM Hibernate 5 support / updated config files), or keep this module on the Hibernate 3 line and address the vulnerability another way (exclude/disable the module, isolate it from production builds, etc.).
| <hibernate.version>5.3.38.Final</hibernate.version> | |
| <hibernate.version>3.6.10.Final</hibernate.version> |
Snyk has created this PR to fix 2 vulnerabilities in the maven dependencies of this project.
Snyk changed the following file(s):
pom.xmlpersistence-modules/spring-hibernate-3/pom.xmlVulnerabilities that will be fixed with an upgrade:
SNYK-JAVA-ORGHIBERNATE-15038759
3.6.10.Final->5.3.38.FinalMajor version upgradeProof of ConceptSNYK-JAVA-CHQOSLOGBACK-15062482
1.2.6->1.5.25ch.qos.logback:logback-core:
1.2.6->1.5.25No Known ExploitImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 SQL Injection