Skip to content

[0.4] remove plexus-utils from production image due to CVE-2025-67030 (#428)#429

Merged
Apmats merged 1 commit into0.4from
backport/0.4/pr-428
Apr 1, 2026
Merged

[0.4] remove plexus-utils from production image due to CVE-2025-67030 (#428)#429
Apmats merged 1 commit into0.4from
backport/0.4/pr-428

Conversation

@github-actions
Copy link
Copy Markdown

@github-actions github-actions bot commented Apr 1, 2026

Backports the following commits to 0.4:

@Apmats @claude
remove plexus-utils from production image due to CVE-2025-67030 (#428)
06ff3e5 
elastic/search-team#13576

plexus-utils-3.5.1.jar (CVE-2025-67030, directory traversal) is bundled
inside ruby-maven-libs-3.9.9, which ships Apache Maven. Maven is only
used at build time for JAR dependency resolution via jar-dependencies
and is not needed at runtime.

This PR removes ruby-maven and ruby-maven-libs gems from both Docker
images after the build step, eliminating the vulnerable library from the
production artifact.

Verified locally:

plexus-utils-3.5.1.jar is no longer present in the built image
All default gems load successfully
Test suite passes (4 pre-existing sitemap test failures unrelated to
this change)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions github-actions bot requested a review from a team as a code owner April 1, 2026 13:15
@github-actions github-actions bot mentioned this pull request Apr 1, 2026
Merged
@Apmats Apmats merged commit c9d3484 into 0.4 Apr 1, 2026
2 checks passed
@Apmats Apmats deleted the backport/0.4/pr-428 branch April 1, 2026 13:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Apmats Apmats Apmats approved these changes

Assignees

@Apmats Apmats

Labels

backport

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Apmats