This is an automated email from the ASF dual-hosted git repository.
chenzhida pushed a commit to branch 2.8.x
in repository https://gitbox.apache.org/repos/asf/servicecomb-java-chassis.git
The following commit(s) were added to refs/heads/2.8.x by this push:
new 88774b8ee upgrade org.apache.tomcat.embed:tomcat-embed-core to 9.0.108
(#4986)
88774b8ee is described below
commit 88774b8ee65166e18b596f3adc94674c664db62d
Author: qlonglong <[email protected]>
AuthorDate: Wed Oct 22 17:40:04 2025 +0800
upgrade org.apache.tomcat.embed:tomcat-embed-core to 9.0.108 (#4986)
Due to JDK version constraints, Spring Boot cannot be upgraded further.
Therefore, tomcat-embed-core can only be upgraded to 9.0.108 to address the
CVE-2025-48989 vulnerability.
---
dependencies/default/pom.xml | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/dependencies/default/pom.xml b/dependencies/default/pom.xml
index c9132cc26..46bb11157 100644
--- a/dependencies/default/pom.xml
+++ b/dependencies/default/pom.xml
@@ -101,6 +101,7 @@
<vertx.version>4.5.21</vertx.version>
<zipkin.version>2.24.0</zipkin.version>
<zipkin-reporter.version>2.16.3</zipkin-reporter.version>
+ <tomcat.version>9.0.108</tomcat.version>
<!-- Base dir of main -->
<main.basedir>${basedir}/../..</main.basedir>
</properties>
@@ -774,6 +775,22 @@
<version>${java-websocket.version}</version>
</dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-core</artifactId>
+ <version>${tomcat.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-el</artifactId>
+ <version>${tomcat.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-websocket</artifactId>
+ <version>${tomcat.version}</version>
+ </dependency>
+
<dependency>
<groupId>org.apache.servicecomb</groupId>
<artifactId>java-chassis-bom</artifactId>
