Skip to content

Update libs#2577

Merged
sdelamo merged 2 commits intomicronaut-projects:6.19.xfrom
altro3:updatelibs12
Feb 27, 2026
Merged

Update libs#2577
sdelamo merged 2 commits intomicronaut-projects:6.19.xfrom
altro3:updatelibs12

Conversation

@altro3
Copy link
Copy Markdown
Collaborator

@altro3 altro3 commented Feb 15, 2026

No description provided.

@altro3 altro3 added the type: dependency-upgrade Upgrade a dependency label Feb 15, 2026
@altro3 altro3 requested a review from graemerocher February 15, 2026 07:54
@altro3 altro3 force-pushed the updatelibs12 branch 7 times, most recently from 265bb73 to 66a4e92 Compare February 22, 2026 03:16
@altro3 altro3 force-pushed the updatelibs12 branch 2 times, most recently from 4097f42 to 5ea9484 Compare February 24, 2026 04:46
graemerocher
graemerocher reviewed Feb 25, 2026
View reviewed changes
Comment thread openapi-generator/build.gradle.kts Outdated
api(mnLogging.slf4j.ext)
api(mn.snakeyaml)
api(mn.jackson.datatype.jsr310)
api(libs.rhino)
Copy link
Copy Markdown
Contributor

@graemerocher graemerocher Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we need rhino?

Copy link
Copy Markdown
Collaborator Author

@altro3 altro3 Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, otherwise the build won't build, and SonaType complains that the library contains a vulnerability. We don't use this library, but it is included as a transitive dependency via openapi-generator , which references the old swagger-parser, which in turn references rhino.

If you have another solution to this problem, no problem. Let's find a different solution. But the fact remains: if we don't do this, the build will fail.

Copy link
Copy Markdown
Contributor

@graemerocher graemerocher Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should get a new transitive of the openapi-generator that fixes this vulnerability

Copy link
Copy Markdown
Collaborator Author

@altro3 altro3 Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't quite understand what you're talking about... That's exactly what I did, replacing the vulnerable version with a non-vulnerable one. All other versions are up to date, but Rhino still connects to the old version, and there's no way to fix it without manual intervention.

Copy link
Copy Markdown
Collaborator Author

@altro3 altro3 Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@graemerocher That's the reason, why I did it: https://github.com/micronaut-projects/micronaut-openapi/actions/runs/22398072224/job/64836816791

изображение

sdelamo
sdelamo approved these changes Feb 27, 2026
View reviewed changes
Comment thread openapi-generator/build.gradle.kts Outdated
@sdelamo sdelamo merged commit b112971 into micronaut-projects:6.19.x Feb 27, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@graemerocher graemerocher graemerocher left review comments

@sdelamo sdelamo sdelamo approved these changes

Assignees

No one assigned

Labels

type: dependency-upgrade Upgrade a dependency

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@altro3 @graemerocher @sdelamo