Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade org.postgresql:postgresql from 42.7.3 to 42.7.4 #1412

Closed

Conversation

smirnovaae
Copy link
Contributor

snyk-top-banner

Snyk has created this PR to upgrade org.postgresql:postgresql from 42.7.3 to 42.7.4.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 1 version ahead of your current version.

  • The recommended version was released on 2 months ago.


Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

Snyk has created this PR to upgrade org.postgresql:postgresql from 42.7.3 to 42.7.4.

See this package in maven:
org.postgresql:postgresql

See this project in Snyk:
https://app.snyk.io/org/smirnovaae/project/89bb61b1-ca0a-4211-ad98-71a035886393?utm_source=github&utm_medium=referral&page=upgrade-pr
@smirnovaae smirnovaae requested a review from a team as a code owner October 27, 2024 15:25
bennavapbc added a commit that referenced this pull request Nov 12, 2024
## 🎫 Ticket

https://jira.cms.gov/browse/AB2D-6397

## 🛠 Changes
- In the parent POM, rename property from `postgres.version` to
`postgresql.version` to properly override version defined in
`spring-boot-dependencies`.
- Bump postgresql version to 42.7.4 to be consistent with #1412

## ℹ️ Context

The postgres version defined by `spring-boot-dependencies` is 42.3.8.
Snyk flags this version as vulnerable.

Modules **common** and **job** override this version to 42.7.3. However,
when another module imports one of these modules, Maven does not select
this overridden version and instead selects the version defined by
`spring-boot-dependencies`.

## 🧪 Validation

Running `mvn dependency:tree` on **main** shows different versions being
used for different modules.
On the feature branch, the same version is used across all modules. 


![image](https://github.com/user-attachments/assets/720540df-5485-4f97-ad1f-17df44319aab)
@smirnovaae
Copy link
Contributor Author

closed as duplicate for #1416

@smirnovaae smirnovaae closed this Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants