Skip to content

fix: use resolutionStrategy to enforce minimum versions for vulnerabi…#376

Merged
catarina-correia merged 1 commit into
mainfrom
CHK-fix-vulnerabilities-2
May 27, 2026
Merged

fix: use resolutionStrategy to enforce minimum versions for vulnerabi…#376
catarina-correia merged 1 commit into
mainfrom
CHK-fix-vulnerabilities-2

Conversation

@catarina-correia
Copy link
Copy Markdown
Contributor

@catarina-correia catarina-correia commented May 27, 2026
edited by gyg-pr-tool Bot
Loading

Summary

Refactors vulnerability remediation strategy in build configuration by switching from Gradle version constraints to resolutionStrategy-based dependency management.

Changes

  • Replaces version constraints with resolutionStrategy.eachDependency blocks
  • Maintains same enforced minimum versions for three critical libraries:
    • jackson-core >= 3.1.1 (maxDocumentLength bypass)
    • tomcat-embed-core >= 11.0.22 (multiple CVEs)
    • netty-codec-http* >= 4.2.13.Final (HTTP Request Smuggling)
  • Removes outdated prefer version for netty-codec-http

Impact

  • Approach change: resolutionStrategy provides more explicit control and is applied consistently across all configurations
  • Functional equivalent: Same minimum versions enforced, no breaking changes to dependency resolution
  • Maintenance: Consolidates vulnerability constraints into a single location for better visibility

@catarina-correia @claude
fix: use resolutionStrategy to enforce minimum versions for vulnerabi…
ed03c87 
…lities

Replaces dependency constraints with resolutionStrategy.eachDependency to
correctly rewrite transitive dependency versions in the submitted dependency
graph, fixing stale versions showing in GitHub Insights. Also adds
netty-codec-http2 and netty-codec-http3 to the netty upgrade rule.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@catarina-correia catarina-correia requested a review from a team as a code owner May 27, 2026 13:11
@catarina-correia catarina-correia merged commit 31db6f1 into main May 27, 2026
4 checks passed
@catarina-correia catarina-correia deleted the CHK-fix-vulnerabilities-2 branch May 27, 2026 15:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dominik-riha dominik-riha Awaiting requested review from dominik-riha dominik-riha is a code owner automatically assigned from getyourguide/chk

Assignees

No one assigned

Labels

risk:normal small

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@catarina-correia