chore: 3PP update hygiene pass#189
Merged
Merged
Conversation
Runtime: - httpclient5 5.6 -> 5.6.1 (patch) - jackson 2.21.2 -> 2.21.3 (patch) - guava 33.5.0-jre -> 33.6.0-jre - netty 4.1.132.Final -> 4.1.134.Final (patch on the gRPC-required 4.1.x line; raises the security-fix floor enforced by java-base-conventions.gradle.kts constraints) - slf4j 2.0.17 -> 2.0.18 (patch) Test: - grpcmock 1.0.0 -> 1.1.1 (now pulls byte-buddy 1.18.3, which lines up with the byte-buddy already on the test classpath via assertj 3.27.7 - no new conflict) - junit-bom 5.14.3 -> 5.14.4 (Jupiter 5.14.4 / Platform 1.14.4) Held back: - pgjdbc 42.7.10 -> 42.7.11. Closes CVE-2026-42198 (server-side DoS in SCRAM-SHA-256 auth) but breaks :jdbc-core tests under the Java 8 test toolchain: a new pgjdbc AuthMethod class on the test classpath triggers a JDK-8 reflection NPE in Executable.getAnnotatedReturnType0 inside ByteBuddy's annotation reader, causing Mockito's inline mock-maker to fail to mock org.apache.arrow.memory.BufferAllocator. pgjdbc only ships in :jdbc-reference (an internal Postgres reference fixture), so the CVE blast radius is limited; rationale captured at the pin site. Revisit once the Java 8 test toolchain is dropped or :jdbc-reference moves off Mockito-inline mocks. GHSA-98qh-xjc8-98pq Verified by ./gradlew test --rerun-tasks (every module's :test task green).
These two move together because gRPC's compat matrix pairs them and the generated stubs share an ABI. gRPC 1.81.0: - 1.81.x compat matrix pins grpc-netty <-> netty-handler 4.1.132.Final and netty-tcnative-boringssl-static 2.0.75.Final. Our floor (raised to 4.1.134.Final in the previous commit via java-base-conventions.gradle.kts constraints) is forward-compatible. - No breaking changes affect a JDBC driver consuming grpc-netty / grpc-stub / grpc-inprocess. The only deprecation in the window is LoadBalancer.handleResolvedAddresses, which the driver does not implement. - Java 8 still supported (the only floor change was Android API 23, irrelevant here). - The explicit grpc-netty-shaded exclusion in java-base-conventions.gradle.kts is unaffected; no provider-priority changes in 1.81.0. protobuf 4.35.0 (upstream v35.0): - Java release notes are additive: BytecodeClassName helpers, an enforce_naming_style enum reserved for Edition 2026, a JsonFormat fix avoiding toBigIntegerExact for large exponents, and dropping Bazel 7 support (build-system only, no runtime impact). No breaking changes for our generated-code consumers. - protobuf-java 4.35.0 has no new Java-runtime floor and is not pinned by gRPC 1.81.0; the two bumps are independent and chosen together for hygiene. Verified by ./gradlew test --rerun-tasks across every module.
Quality / minor-version bump with no security CVEs in the window. - log4j-core 2.26.0 release notes: correctness fixes around configuration reload and minor improvements to the JsonTemplateLayout. No API breakage for log4j-api consumers (which is how this project uses log4j; only the jdbc-test test fixture pulls log4j-core, never log4j-api). - 2.x is still the supported line; no 3.x migration implied. - Java 8 still supported. Verified by ./gradlew test --rerun-tasks across every module.
- 0.10.0 raises the build-JDK floor to Java 11+ and Gradle 7.6+. We build with Java 21 + Gradle 8.14, so both floors are met. The runtime toolchain (Java 8 for tests) is unaffected since the protobuf plugin only runs at build time. - The notable behavior change is a deprecation of writes to generatedFilesBaseDir; we don't set it anywhere (verified via grep across the repo), so no migration needed. - Generated Java + gRPC stubs are unchanged in shape; this is purely a build-tooling refresh. Verified by ./gradlew clean test --rerun-tasks across every module (forces a full proto regen via the upgraded plugin).
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #189 +/- ##
=========================================
Coverage 80.86% 80.86%
Complexity 1728 1728
=========================================
Files 123 123
Lines 5011 5011
Branches 528 528
=========================================
Hits 4052 4052
Misses 727 727
Partials 232 232
🚀 New features to boost your workflow:
|
mkaufmann
commented
May 22, 2026
Member
Author
mkaufmann
left a comment
mkaufmann
left a comment
There was a problem hiding this comment.
Two non-blocking notes on the framing of the security delta — the bumps themselves and the hold-back decisions look right.
- Suggested ·
gradle/libs.versions.toml:20— Netty 4.1.132 → 4.1.134 closes 12 CVEs the body doesn't credit - Suggested ·
gradle/libs.versions.toml:31— the pgjdbc CVE comment inverts the threat model
Everything else checked out: gRPC/protobuf/Netty matrix is consistent, protobuf-gradle-plugin floors are met, the freefair-lombok hold-back is justified by the Gradle 8.14 floor, and the verification scope claimed in the body matches what was actually run.
Generated by the review-pr-tavern skill — a human did not write this comment.
mkaufmann
changed the title
KaviarasuSakthivadivel
approved these changes
May 22, 2026
praveen2450
approved these changes
May 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Routine 3PP hygiene pass — pull in available patch / minor bumps for runtime + test deps and the proto/gRPC/Netty matrix. The Netty 4.1.132 → 4.1.134 update closes 12 CVEs, including repository relevant ones like CVE-2026-42587 (codec-http / http2), CVE-2026-41417 (codec-http), CVE-2026-42583 (codec / codec-compression).
Source: https://github.com/netty/netty/releases/tag/netty-4.1.133.Final.
What changed
gradle/libs.versions.tomlonly. Four commits, layered so each batch is independently verifiable / revertible.Skipped (with rationale documented at the pin site)
42.7.10 → 42.7.11— would close CVE-2026-42198, a client-side CPU-exhaustion DoS where a hostile PostgreSQL server returns a huge SCRAM PBKDF2 iteration count and the driver burns CPU on the key derivation (per GHSA-98qh-xjc8-98pq). The update resulted in a JDK-8 reflection NPE during test execution. pgjdbc is only consumed by:jdbc-reference(an internal Postgres-reference test fixture, not the published driver), so the CVE blast radius is limited to that test harness pointed that is anyway only pointed at a trusted PG server.9.2.0 → 9.5.0— requires Gradle 9.5; we're on 8.14. Not pursued in this PR. Gradle upgrade should be done separatelyModel: claude-opus-4-7 · Effort: default · Co-Authored-By: Claude