Skip to content

[Snyk] Fix for 3 vulnerabilities#1513

Open
macroscope-cloud wants to merge 6 commits into
snyk-fix-8845a86c99f931e0b85cb1a084d2be90from
snyk-fix-bda781b2072b6b90fbf32b7538bb14d7
Open

[Snyk] Fix for 3 vulnerabilities#1513
macroscope-cloud wants to merge 6 commits into
snyk-fix-8845a86c99f931e0b85cb1a084d2be90from
snyk-fix-bda781b2072b6b90fbf32b7538bb14d7

Conversation

@macroscope-cloud

Copy link
Copy Markdown

snyk-top-banner

Snyk has created this PR to fix 3 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

  • examples/iOS-Hybrid-App-Java-Server/pom.xml

Vulnerabilities that will be fixed with an upgrade:

Issue Score Upgrade
medium severity Improperly Controlled Modification of Dynamically-Determined Object Attributes
SNYK-JAVA-TOOLSJACKSONCORE-17457696
  738   org.springframework.boot:spring-boot-starter-json:
4.0.6 -> 4.0.7
Proof of Concept
high severity Improper Authentication
SNYK-JAVA-ORGAPACHETOMCATEMBED-17732890
  726   org.apache.tomcat.embed:tomcat-embed-core:
11.0.21 -> 11.0.23
org.apache.tomcat.embed:tomcat-embed-websocket:
11.0.21 -> 11.0.23
org.springframework.boot:spring-boot-starter-tomcat:
3.5.5 -> 4.0.0
Major version upgrade No Known Exploit
high severity Detection of Error Condition Without Action
SNYK-JAVA-ORGAPACHETOMCATEMBED-17733746
  721   org.apache.tomcat.embed:tomcat-embed-core:
11.0.21 -> 11.0.23
org.apache.tomcat.embed:tomcat-embed-websocket:
11.0.21 -> 11.0.23
org.springframework.boot:spring-boot-starter-tomcat:
3.5.5 -> 4.0.0
Major version upgrade No Known Exploit

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.


Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Improper Authentication
🦉 Improperly Controlled Modification of Dynamically-Determined Object Attributes

@macroscope-cloud

Copy link
Copy Markdown
Author

Merge Risk: High

This upgrade includes a major version bump for spring-boot-starter-tomcat from 3.5.5 to 4.0.0, which introduces significant breaking changes.

Key Breaking Changes in Spring Boot 4.0.0:

  • Java 21 Baseline: Spring Boot 4.0 requires Java 21 or later. This will require updates to the build environment, CI/CD pipelines, and potentially Docker base images.
  • Jakarta EE 11: The framework now fully adopts Jakarta EE 11, which includes Servlet 6.1. This continues the migration from javax.* to jakarta.* namespaces, and any remaining javax.* usage, even from transitive dependencies, may cause compilation or runtime errors.
  • Spring Framework 7: This release is built on Spring Framework 7, which brings its own set of changes and removals.
  • Modularization: Spring Boot auto-configurations have been split into smaller, more focused modules. This may require adding explicit dependencies for features that were previously included by default.
  • Security Defaults: Default security behaviors have changed. Web applications are now secured by default, and SecurityFilterChain configurations may behave differently, requiring explicit configuration to restore previous behavior.
  • Removed APIs: APIs deprecated in Spring Boot 3.x have been removed. A notable removal is the support for Undertow as an embedded server; applications must switch to Tomcat or Jetty.
  • Configuration Property Changes: Several configuration properties have been renamed or removed. It is recommended to use the Spring Boot Properties Migrator tool before upgrading to identify and update deprecated properties.

Other Upgrades:

  • tomcat-embed-core and tomcat-embed-websocket (11.0.2111.0.23): This is a patch release with bug fixes and minor improvements. The changelog notes a breaking change for the EncryptInterceptor and alignment of rewrite condition processing.
  • spring-boot-starter-json (4.0.64.0.7): This patch release includes bug fixes, documentation improvements, and dependency upgrades, including fixes for two CVEs (CVE-2026-40992 and CVE-2026-41001).

Recommendation:

This is a high-risk upgrade that requires significant developer action. Do not merge without a thorough migration effort. It is strongly recommended to first upgrade to the latest Spring Boot 3.5.x release, resolve all deprecation warnings, and use the properties migrator before attempting the upgrade to 4.0.0. A dedicated migration branch and extensive testing are essential.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants