Skip to content

feat(QTDI-2292): Q1 2026 CVE - security updates#1158

Merged
ypiel-talend merged 7 commits intomasterfrom
feat/QTDI-2292_security
Feb 9, 2026
Merged

feat(QTDI-2292): Q1 2026 CVE - security updates#1158
ypiel-talend merged 7 commits intomasterfrom
feat/QTDI-2292_security

Conversation

@lxia-talend
Copy link
Contributor

@lxia-talend lxia-talend commented Jan 23, 2026
edited by ypiel-talend
Loading

  • chore(QTDI-2345): [TCK] Update XBean to 4.29+
  • chore(QTDI-2446): bump log4j to 2.25.3
  • chore(QTDI-2465): bump logback to 1.5.19
  • chore(QTDI-2457): bump react-router to 6.30.2 to fix cve on @remix-run/router
  • chore(QTDI-2394): bump rhino to 1.9.0
  • chore(QTDI-2242): bump tomcat to 9.0.113
  • chore(QTDI-2456): CVE-2025-15284 Qs 6.13.0

@yyin-talend @undx
feat(QTDI-2292): security 5 CVE issues include (#1156)
05b9657 
* chore(QTDI-2446): bump log4j to 2.25.3

* chore(QTDI-2465): bump logback to 1.5.19

* chore(QTDI-2457): bump react-router to 6.30.2 to fix cve on @remix-run/router

* chore(QTDI-2394): bump rhino to 1.9.0

* chore(QTDI-2242): bump tomcat to 9.0.113

* logback

---------

Co-authored-by: Emmanuel GALLOIS <Emmanuel.gallois@qlik.com>
Copilot AI reviewed Jan 23, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses five security vulnerabilities by upgrading affected dependencies to their patched versions across both Java (Maven) and JavaScript (npm) ecosystems.

Changes:

  • Upgraded Log4j from 2.20.0 to 2.25.3
  • Upgraded Logback from 1.5.18 to 1.5.19
  • Upgraded Tomcat from 9.0.109 to 9.0.113
  • Upgraded Rhino from 1.7.14 to 1.9.0
  • Upgraded react-router and react-router-dom from 6.3.0/6.24.1 to 6.30.2

Reviewed changes

Copilot reviewed 5 out of 7 changed files in this pull request and generated no comments.

Show a summary per file
File Description
pom.xml Updates Maven dependency versions for Log4j, Logback, Tomcat, and Rhino to address CVE issues
component-tools-webapp/src/main/frontend/package.json Upgrades react-router-dom to 6.30.2 and removes trailing empty line
component-tools-webapp/src/main/frontend/package-template.json Mirrors react-router-dom upgrade and formatting changes from package.json
component-starter-server/src/main/frontend/package.json Upgrades both react-router and react-router-dom to 6.30.2
component-starter-server/src/main/frontend/package-template.json Mirrors react-router upgrades from package.json
Files not reviewed (2)
  • component-starter-server/src/main/frontend/package-lock.json: Language not supported
  • component-tools-webapp/src/main/frontend/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

yyin-talend
yyin-talend previously approved these changes Jan 23, 2026
View reviewed changes
@ypiel-talend ypiel-talend changed the title feat(QTDI-2292): security 5 CVE issues include (#1156) feat(QTDI-2292): Q1 2026 CVE - security updates Jan 23, 2026
@ypiel-talend
fix(QTDI-2345): Bump to xbean:4.29. (#1160)
ad6d937 
* chore(QTDI-2345): Bump to xbean:4.29.

* fix(QTDI-2345): Bump xbean in meecrowave dependencies.

* fix(QTDI-2345): Fix org.apache.xbean group.
@ypiel-talend ypiel-talend requested a review from undx February 9, 2026 09:52
ozhelezniak-talend
ozhelezniak-talend reviewed Feb 9, 2026
View reviewed changes
component-starter-server/pom.xml
<groupId>org.apache.meecrowave</groupId>
<artifactId>meecrowave-core</artifactId>
<version>${meecrowave.version}</version>
<exclusions>
Copy link
Contributor

@ozhelezniak-talend ozhelezniak-talend Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not via depenency Managment?

Copy link
Contributor

@ypiel-talend ypiel-talend Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will be done in another work item because of Chinese vacation, not enough time to re-validate.
Here is the work item: https://qlik-dev.atlassian.net/browse/QTDI-2516

undx
undx reviewed Feb 9, 2026
View reviewed changes
Copy link
Member

@undx undx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree with Oleksandr's remark.

@sonar-eks
Copy link

sonar-eks bot commented Feb 9, 2026

Passed Quality Gate passed

Issues

Measures

Project ID: org.talend.sdk.component:component-runtime

View in SonarQube

@ypiel-talend ypiel-talend merged commit 6ef9f85 into master Feb 9, 2026
8 checks passed
@ypiel-talend ypiel-talend deleted the feat/QTDI-2292_security branch February 9, 2026 14:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ypiel-talend ypiel-talend ypiel-talend left review comments

Copilot code review Copilot Copilot left review comments

@undx undx undx approved these changes

@ozhelezniak-talend ozhelezniak-talend ozhelezniak-talend approved these changes

@yyin-talend yyin-talend yyin-talend left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@lxia-talend @undx @yyin-talend @ypiel-talend @ozhelezniak-talend