This is an automated email from the ASF dual-hosted git repository.
adamsaghy pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/fineract.git
The following commit(s) were added to refs/heads/develop by this push:
new f6b2daf54c FINERACT-2421: Upgrade dependencies (#5244)
f6b2daf54c is described below
commit f6b2daf54c43ec5db211609cd3f4465a6b664501
Author: Adam Saghy <[email protected]>
AuthorDate: Thu Dec 18 14:14:02 2025 +0100
FINERACT-2421: Upgrade dependencies (#5244)
---
build.gradle | 11 +++++-
buildSrc/build.gradle | 9 +++++
.../groovy/org.apache.fineract.dependencies.gradle | 42 +++++++++++-----------
fineract-client-feign/dependencies.gradle | 2 --
fineract-e2e-tests-core/build.gradle | 4 +--
fineract-e2e-tests-runner/build.gradle | 4 +--
integration-tests/dependencies.gradle | 2 +-
oauth2-tests/dependencies.gradle | 2 +-
twofactor-tests/dependencies.gradle | 2 +-
9 files changed, 48 insertions(+), 30 deletions(-)
diff --git a/build.gradle b/build.gradle
index 1d25ed0514..3817f3769a 100644
--- a/build.gradle
+++ b/build.gradle
@@ -102,7 +102,7 @@ plugins {
id 'com.github.hierynomus.license' version '0.16.1' apply false
id 'com.github.jk1.dependency-license-report' version '2.9' apply false
id 'org.zeroturnaround.gradle.jrebel' version '1.2.0' apply false
- id 'org.springframework.boot' version '3.5.5' apply false
+ id 'org.springframework.boot' version '3.5.6' apply false
id 'net.ltgt.errorprone' version '4.1.0' apply false
id 'io.swagger.core.v3.swagger-gradle-plugin' version '2.2.23' apply false
id 'com.gorylenko.gradle-git-properties' version '2.4.2' apply false
@@ -163,6 +163,15 @@ allprojects {
mavenCentral()
}
+ configurations.all {
+ resolutionStrategy {
+ dependencySubstitution {
+ // Substitution is to resolve CVE-2025-12183
+ substitute module('org.lz4:lz4-java') using
module('at.yawk.lz4:lz4-java:1.10.1')
+ }
+ }
+ }
+
configurations {
implementation {
exclude group: 'commons-logging', module: 'commons-logging'
diff --git a/buildSrc/build.gradle b/buildSrc/build.gradle
index b54069a3c2..de2e63c05c 100644
--- a/buildSrc/build.gradle
+++ b/buildSrc/build.gradle
@@ -41,6 +41,15 @@ repositories {
mavenCentral()
}
+configurations.all {
+ resolutionStrategy {
+ dependencySubstitution {
+ // Substitution is to resolve CVE-2025-12183
+ substitute module('org.lz4:lz4-java') using
module('at.yawk.lz4:lz4-java:1.10.1')
+ }
+ }
+}
+
dependencies {
implementation 'com.sun.activation:jakarta.activation'
implementation 'com.sun.mail:jakarta.mail'
diff --git a/buildSrc/src/main/groovy/org.apache.fineract.dependencies.gradle
b/buildSrc/src/main/groovy/org.apache.fineract.dependencies.gradle
index 8b226bca6f..032e506847 100644
--- a/buildSrc/src/main/groovy/org.apache.fineract.dependencies.gradle
+++ b/buildSrc/src/main/groovy/org.apache.fineract.dependencies.gradle
@@ -25,12 +25,12 @@ dependencyManagement {
mavenBom 'com.squareup.okhttp3:okhttp-bom:4.12.0'
mavenBom 'org.slf4j:slf4j-bom:2.0.17'
mavenBom 'io.micrometer:micrometer-bom:1.13.6'
- mavenBom 'org.springframework.boot:spring-boot-dependencies:3.5.5'
+ mavenBom 'org.springframework.boot:spring-boot-dependencies:3.5.6'
mavenBom 'io.awspring.cloud:spring-cloud-aws-dependencies:3.2.1'
mavenBom 'io.opentelemetry:opentelemetry-bom:1.44.1'
mavenBom 'org.jetbrains.kotlin:kotlin-bom:2.0.21'
mavenBom 'org.junit:junit-bom:5.11.3'
- mavenBom 'com.fasterxml.jackson:jackson-bom:2.18.3'
+ mavenBom 'com.fasterxml.jackson:jackson-bom:2.19.2'
mavenBom 'io.cucumber:cucumber-bom:7.20.1'
mavenBom 'org.mockito:mockito-bom:5.14.2'
mavenBom 'software.amazon.awssdk:bom:2.29.9'
@@ -44,8 +44,8 @@ dependencyManagement {
// We do not use :+ to get the latest available version available on
Maven Central, as that could suddenly break things.
// We use the Renovate Bot to automatically propose Pull Requests
(PRs) when upgrades for all of these versions are available.
- dependency 'ch.qos.logback:logback-core:1.5.17'
- dependency 'ch.qos.logback:logback-classic:1.5.17'
+ dependency 'ch.qos.logback:logback-core:1.5.19'
+ dependency 'ch.qos.logback:logback-classic:1.5.19'
dependency 'ch.qos.logback.contrib:logback-json-classic:0.1.5'
dependency 'ch.qos.logback.contrib:logback-jackson:0.1.5'
dependency 'org.codehaus.janino:janino:3.1.12'
@@ -55,7 +55,7 @@ dependencyManagement {
dependency 'com.google.code.gson:gson:2.11.0'
dependency 'com.google.googlejavaformat:google-java-format:1.24.0'
dependency 'org.apache.commons:commons-collections4:4.4'
- dependency 'org.apache.commons:commons-compress:1.26.0'
+ dependency 'org.apache.commons:commons-compress:1.28.0'
dependency ('software.amazon.msk:aws-msk-iam-auth:2.2.0') {
exclude 'commons-logging:commons-logging:'
}
@@ -74,17 +74,17 @@ dependencyManagement {
dependency 'org.ehcache:ehcache:3.10.8'
dependency 'com.github.spullara.mustache.java:compiler:0.9.14'
dependency 'com.jayway.jsonpath:json-path:2.9.0'
- dependency ('org.apache.tika:tika-core:2.9.3') {
+ dependency ('org.apache.tika:tika-core:3.2.3') {
exclude 'commons-logging:commons-logging'
}
- dependency ('org.apache.tika:tika-core:2.9.3') {
+ dependency ('org.apache.tika:tika-core:3.2.3') {
exclude 'commons-logging:commons-logging'
}
- dependency ('org.apache.tika:tika-parser-miscoffice-module:2.9.3') {
+ dependency ('org.apache.tika:tika-parser-miscoffice-module:3.2.3') {
exclude 'org.bouncycastle:bcprov-jdk15on'
- exclude 'org.bouncycastle:bcmail-jdk15on'
+ exclude 'org.bouncycastle:bcjmail-jdk15on'
exclude 'org.bouncycastle:bcprov-jdk18on'
- exclude 'org.bouncycastle:bcmail-jdk18on'
+ exclude 'org.bouncycastle:bcjmail-jdk18on'
exclude 'commons-logging:commons-logging'
exclude 'org.apache.logging.log4j:log4j-api'
exclude 'org.slf4j:slf4j-api'
@@ -97,11 +97,11 @@ dependencyManagement {
exclude 'org.apache.commons:commons-compress'
exclude 'xml-apis:xml-apis'
}
- dependency ('org.apache.tika:tika-parser-microsoft-module:2.9.3') {
+ dependency ('org.apache.tika:tika-parser-microsoft-module:3.2.3') {
exclude 'org.bouncycastle:bcprov-jdk15on'
- exclude 'org.bouncycastle:bcmail-jdk15on'
+ exclude 'org.bouncycastle:bcjmail-jdk15on'
exclude 'org.bouncycastle:bcprov-jdk18on'
- exclude 'org.bouncycastle:bcmail-jdk18on'
+ exclude 'org.bouncycastle:bcjmail-jdk18on'
exclude 'commons-logging:commons-logging'
exclude 'org.apache.logging.log4j:log4j-api'
exclude 'org.slf4j:slf4j-api'
@@ -152,10 +152,10 @@ dependencyManagement {
dependency "commons-codec:commons-codec:1.17.1"
dependency "org.projectlombok:lombok:1.18.36"
- dependency 'org.bouncycastle:bcpkix-jdk18on:1.80'
- dependency 'org.bouncycastle:bcprov-jdk18on:1.80'
- dependency 'org.bouncycastle:bcutil-jdk18on:1.80'
- dependency 'org.bouncycastle:bcpg-jdk18on:1.80'
+ dependency 'org.bouncycastle:bcpkix-jdk18on:1.81'
+ dependency 'org.bouncycastle:bcprov-jdk18on:1.81'
+ dependency 'org.bouncycastle:bcutil-jdk18on:1.81'
+ dependency 'org.bouncycastle:bcpg-jdk18on:1.81'
dependency 'org.eclipse.jgit:org.eclipse.jgit:7.2.0.202503040940-r'
dependency
'org.eclipse.jgit:org.eclipse.jgit.gpg.bc:7.2.0.202503040940-r'
@@ -185,7 +185,7 @@ dependencyManagement {
dependency 'jakarta.annotation:jakarta.annotation-api:3.0.0'
dependency 'jakarta.activation:jakarta.activation-api:2.1.3'
- dependency ('com.sun.mail:jakarta.mail:2.0.1') {
+ dependency ('com.sun.mail:jakarta.mail:2.0.2') {
// Spring needs this version
exclude 'com.sun.activation:jakarta.activation'
}
@@ -273,9 +273,11 @@ dependencyManagement {
dependency 'org.springframework:spring-core:6.2.11'
// Force Spring Framework version: CVE-2025-41248
dependency 'org.springframework.security:spring-security-core:6.5.4'
- // Force netty-codec version: CVE-2025-58057
- dependency 'io.netty:netty-codec:4.1.125.Final'
+ // Force netty-codec version: CVE-2025-67735
+ dependency 'io.netty:netty-codec:4.1.129.Final'
// Force netty-codec version: CVE-2025-58056
dependency 'io.netty:netty-codec-http:4.1.125.Final'
+ // Force lz4-java version: CVE-2025-12183
+ dependency 'at.yawk.lz4:lz4-java:1.10.1'
}
}
diff --git a/fineract-client-feign/dependencies.gradle
b/fineract-client-feign/dependencies.gradle
index 59cb8278b0..ebc09f7973 100644
--- a/fineract-client-feign/dependencies.gradle
+++ b/fineract-client-feign/dependencies.gradle
@@ -33,7 +33,6 @@ dependencies {
'jakarta.annotation:jakarta.annotation-api:3.0.0',
'io.swagger.core.v3:swagger-annotations-jakarta:2.2.15',
'org.apache.commons:commons-lang3:3.12.0',
- 'org.slf4j:slf4j-api:1.7.36',
'org.projectlombok:lombok'
)
@@ -43,7 +42,6 @@ dependencies {
'org.junit.jupiter:junit-jupiter-engine:5.11.3',
'org.mockito:mockito-core:5.14.2',
'org.assertj:assertj-core:3.26.3',
- 'org.slf4j:slf4j-simple:1.7.36',
'org.wiremock:wiremock-standalone'
)
}
diff --git a/fineract-e2e-tests-core/build.gradle
b/fineract-e2e-tests-core/build.gradle
index d04d71ae12..d4cb2af8f4 100644
--- a/fineract-e2e-tests-core/build.gradle
+++ b/fineract-e2e-tests-core/build.gradle
@@ -90,8 +90,8 @@ dependencies {
testCompileOnly 'org.projectlombok:lombok:1.18.36'
testAnnotationProcessor 'org.projectlombok:lombok:1.18.36'
- testImplementation "ch.qos.logback:logback-core:1.5.17"
- testImplementation "ch.qos.logback:logback-classic:1.5.17"
+ testImplementation "ch.qos.logback:logback-core:1.5.19"
+ testImplementation "ch.qos.logback:logback-classic:1.5.19"
testImplementation 'org.apache.activemq:activemq-client:6.1.6'
testImplementation "org.apache.avro:avro:1.12.0"
diff --git a/fineract-e2e-tests-runner/build.gradle
b/fineract-e2e-tests-runner/build.gradle
index 2f8811aefb..223900d240 100644
--- a/fineract-e2e-tests-runner/build.gradle
+++ b/fineract-e2e-tests-runner/build.gradle
@@ -61,8 +61,8 @@ dependencies {
testCompileOnly 'org.projectlombok:lombok:1.18.36'
testAnnotationProcessor 'org.projectlombok:lombok:1.18.36'
- testImplementation "ch.qos.logback:logback-core:1.5.17"
- testImplementation "ch.qos.logback:logback-classic:1.5.17"
+ testImplementation "ch.qos.logback:logback-core:1.5.19"
+ testImplementation "ch.qos.logback:logback-classic:1.5.19"
testImplementation 'org.apache.activemq:activemq-client:6.1.6'
testImplementation "org.apache.avro:avro:1.12.0"
diff --git a/integration-tests/dependencies.gradle
b/integration-tests/dependencies.gradle
index 9b0cb8cafe..1560d98d3c 100644
--- a/integration-tests/dependencies.gradle
+++ b/integration-tests/dependencies.gradle
@@ -20,7 +20,7 @@ dependencies {
// testCompile dependencies are ONLY used in src/test, not src/main.
// Do NOT repeat dependencies which are ALREADY in implementation or
runtimeOnly!
//
- tomcat 'org.apache.tomcat:tomcat:10.1.42@zip'
+ tomcat 'org.apache.tomcat:tomcat:10.1.45@zip'
def providerMainOutput =
project(':fineract-provider').extensions.getByType(SourceSetContainer).named('main').get().output
testImplementation( providerMainOutput,
project(path: ':fineract-core', configuration: 'runtimeElements'),
diff --git a/oauth2-tests/dependencies.gradle b/oauth2-tests/dependencies.gradle
index 67e7194d06..168863f06d 100644
--- a/oauth2-tests/dependencies.gradle
+++ b/oauth2-tests/dependencies.gradle
@@ -20,7 +20,7 @@ dependencies {
// testCompile dependencies are ONLY used in src/test, not src/main.
// Do NOT repeat dependencies which are ALREADY in implementation or
runtimeOnly!
//
- tomcat 'org.apache.tomcat:tomcat:10.1.42@zip'
+ tomcat 'org.apache.tomcat:tomcat:10.1.45@zip'
testImplementation(
files("$rootDir/fineract-provider/build/classes/java/main/"),
project(path: ':fineract-provider', configuration:
'runtimeElements'),
'org.junit.jupiter:junit-jupiter-api',
diff --git a/twofactor-tests/dependencies.gradle
b/twofactor-tests/dependencies.gradle
index f4685d8a1e..f7b3ed55a6 100644
--- a/twofactor-tests/dependencies.gradle
+++ b/twofactor-tests/dependencies.gradle
@@ -20,7 +20,7 @@ dependencies {
// testCompile dependencies are ONLY used in src/test, not src/main.
// Do NOT repeat dependencies which are ALREADY in implementation or
runtimeOnly!
//
- tomcat 'org.apache.tomcat:tomcat:10.1.42@zip'
+ tomcat 'org.apache.tomcat:tomcat:10.1.45@zip'
testImplementation(
files("$rootDir/fineract-provider/build/classes/java/main/"),
project(path: ':fineract-provider', configuration:
'runtimeElements'),
'org.junit.jupiter:junit-jupiter-api',
