Re: [PR] [incubator-kie-issues#2288] - Springboot 4.0.x upgrade [incubator-kie-drools]

Tue, 12 May 2026 03:11:00 -0700 


nrknithin commented on code in PR #6686:
URL: 
https://github.com/apache/incubator-kie-drools/pull/6686#discussion_r3225518463


##########
build-parent/pom.xml:
##########
@@ -121,15 +122,15 @@
     <version.jakarta.json-api>2.1.3</version.jakarta.json-api>
     <version.org.apache.openjpa>4.0.0</version.org.apache.openjpa>
     <version.org.jpmml.model>1.6.4</version.org.jpmml.model> <!-- jpmml-model 
BSD 3C license - ATTENTION 1.5.1 intentional, because 1.5.1 evaluators works 
with 1.5.1 -->
-    <version.org.junit.jupiter>5.13.4</version.org.junit.jupiter>
-    <version.org.junit.platform>1.13.4</version.org.junit.platform> <!-- Keep 
synchronized with junit-jupiter (middle and minor should be the same) -->
+    <version.org.junit.jupiter>6.0.3</version.org.junit.jupiter>
+    <version.org.junit.platform>6.0.3</version.org.junit.platform> <!-- JUnit 
6 unified versioning: platform shares the jupiter version, managed by junit-bom 
6.0.3 -->

Review Comment:
   @yesamer  Good catch. Consolidated to a single version.org.junit property — 
both jupiter and platform reference it now.



##########
build-parent/pom.xml:
##########
@@ -1342,6 +1343,13 @@
           </exclusion>
         </exclusions>
       </dependency>
+
+      <!-- CVE fix: use at.yawk.lz4:lz4-java instead of org.lz4:lz4-java -->
+      <dependency>
+        <groupId>at.yawk.lz4</groupId>
+        <artifactId>lz4-java</artifactId>
+        <version>${version.at.yawk.lz4.java}</version>

Review Comment:
   @yesamer  Good question. On closer look this was a CVE fix that became dead 
code with the Kafka 4.1.2 bump in this PR — Kafka 4.x's pom already brings 
at.yawk.lz4:lz4-java 1.10.1 directly (verified org.lz4 is not resolved anywhere 
in ~/.m2). Removed the exclusion, the standalone dep, and the 
version.at.yawk.lz4.java property.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to