[pull] release from appsmithorg:release#263
Merged
Merged
Conversation
…41947) ## Summary Remediates 17 CRITICAL/HIGH CVEs (57 scanner findings) detected by scanning the `appsmith/appsmith-ee:release` Docker image (digest `597f187a`). All fixes are same-major dependency pins — no code changes. | Dependency | Change | CVEs | |---|---|---| | spring-boot-starter-parent | 3.5.12 → 3.5.14 | CVE-2026-40973 | | jackson-bom / jackson | 2.17.0 → 2.18.8 | CVE-2026-54512, CVE-2026-54513 | | netty (pinned over Boot BOM) | → 4.1.135.Final | CVE-2026-42583, CVE-2026-42579, CVE-2026-42584, CVE-2026-42587, CVE-2026-33870, CVE-2026-33871, CVE-2026-44249, CVE-2026-45416, CVE-2026-50010, CVE-2026-45674, CVE-2026-47691 | | commons-io (dependencyManagement) | → 2.20.0 | CVE-2024-47554 (transitive via databricks-sdk-java) | | plexus-utils (dependencyManagement) | → 3.6.1 | CVE-2025-67030 | | aws-java-sdk (amazons3Plugin, awsLambdaPlugin) | 1.12.261 / 1.12.622 → 1.12.797 | CVE-2024-21634 (drops unpatched `software.amazon.ion:ion-java` entirely) | ### Verification - `mvn clean install -DskipTests` passes on this branch (CE) and on EE with this commit cherry-picked (sync simulation applied cleanly — no conflicts). - Trivy re-scan of the built server + all plugin jars (CE and EE builds) confirms every targeted CVE is gone. Remaining findings are all known non-actionable: `com.appsmith:*` self-advisories (already handled via GHSA lifecycle), `mssql-jdbc` (false positive — installed `11.2.4.jre11` **is** the patched version; scanner drops the `.jre11` suffix), `ini4j` (no fixed version exists upstream), and jackson 2.16.0 shaded **inside** the `databricks-jdbc` fat jar (not resolvable via Maven; needs a databricks-jdbc 2.6.40 → 2.7.x bump, deferred as a separate follow-up). - `mvn spotless:check` clean; pre-commit hooks passed. ### Out of scope (image-level, tracked separately) Keycloak jars (`opt/keycloak/**`), Temporal go binaries (`opt/temporal/**`), Node's bundled `undici`, and RTS `nodemailer` (major bump) — these are not fixable from this repo's poms. ## Automation /ok-to-test tags="@tag.All" <!-- This is an auto-generated comment: Cypress test results --> > [!TIP] > 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉 > Workflow run: <https://github.com/appsmithorg/appsmith/actions/runs/28682481837> > Commit: 06ae9cc > <a href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=28682481837&attempt=1" target="_blank">Cypress dashboard</a>. > Tags: `@tag.All` > Spec: > <hr>Fri, 03 Jul 2026 21:42:23 UTC <!-- end of auto-generated comment: Cypress test results --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Updated several bundled library versions to address known security vulnerabilities. * Improved dependency consistency across the app to reduce the risk of runtime issues caused by outdated transitive packages. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )