Skip to content

[pull] release from appsmithorg:release#263

Merged
pull[bot] merged 1 commit into
code:releasefrom
appsmithorg:release
Jul 4, 2026
Merged

[pull] release from appsmithorg:release#263
pull[bot] merged 1 commit into
code:releasefrom
appsmithorg:release

Conversation

@pull

@pull pull Bot commented Jul 4, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

…41947)

## Summary

Remediates 17 CRITICAL/HIGH CVEs (57 scanner findings) detected by
scanning the `appsmith/appsmith-ee:release` Docker image (digest
`597f187a`). All fixes are same-major dependency pins — no code changes.

| Dependency | Change | CVEs |
|---|---|---|
| spring-boot-starter-parent | 3.5.12 → 3.5.14 | CVE-2026-40973 |
| jackson-bom / jackson | 2.17.0 → 2.18.8 | CVE-2026-54512,
CVE-2026-54513 |
| netty (pinned over Boot BOM) | → 4.1.135.Final | CVE-2026-42583,
CVE-2026-42579, CVE-2026-42584, CVE-2026-42587, CVE-2026-33870,
CVE-2026-33871, CVE-2026-44249, CVE-2026-45416, CVE-2026-50010,
CVE-2026-45674, CVE-2026-47691 |
| commons-io (dependencyManagement) | → 2.20.0 | CVE-2024-47554
(transitive via databricks-sdk-java) |
| plexus-utils (dependencyManagement) | → 3.6.1 | CVE-2025-67030 |
| aws-java-sdk (amazons3Plugin, awsLambdaPlugin) | 1.12.261 / 1.12.622 →
1.12.797 | CVE-2024-21634 (drops unpatched
`software.amazon.ion:ion-java` entirely) |

### Verification

- `mvn clean install -DskipTests` passes on this branch (CE) and on EE
with this commit cherry-picked (sync simulation applied cleanly — no
conflicts).
- Trivy re-scan of the built server + all plugin jars (CE and EE builds)
confirms every targeted CVE is gone. Remaining findings are all known
non-actionable: `com.appsmith:*` self-advisories (already handled via
GHSA lifecycle), `mssql-jdbc` (false positive — installed `11.2.4.jre11`
**is** the patched version; scanner drops the `.jre11` suffix), `ini4j`
(no fixed version exists upstream), and jackson 2.16.0 shaded **inside**
the `databricks-jdbc` fat jar (not resolvable via Maven; needs a
databricks-jdbc 2.6.40 → 2.7.x bump, deferred as a separate follow-up).
- `mvn spotless:check` clean; pre-commit hooks passed.

### Out of scope (image-level, tracked separately)

Keycloak jars (`opt/keycloak/**`), Temporal go binaries
(`opt/temporal/**`), Node's bundled `undici`, and RTS `nodemailer`
(major bump) — these are not fixable from this repo's poms.

## Automation
/ok-to-test tags="@tag.All"

<!-- This is an auto-generated comment: Cypress test results  -->
> [!TIP]
> 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/28682481837>
> Commit: 06ae9cc
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=28682481837&attempt=1"
target="_blank">Cypress dashboard</a>.
> Tags: `@tag.All`
> Spec:
> <hr>Fri, 03 Jul 2026 21:42:23 UTC
<!-- end of auto-generated comment: Cypress test results  -->


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Updated several bundled library versions to address known security
vulnerabilities.
* Improved dependency consistency across the app to reduce the risk of
runtime issues caused by outdated transitive packages.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
@pull pull Bot locked and limited conversation to collaborators Jul 4, 2026
@pull pull Bot added the ⤵️ pull label Jul 4, 2026
@pull pull Bot merged commit d03d506 into code:release Jul 4, 2026
2 of 3 checks passed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant