fix(security): bump Spring Boot to 3.5.14 and Netty to 4.1.135 for CVE fixes#41928
fix(security): bump Spring Boot to 3.5.14 and Netty to 4.1.135 for CVE fixes#41928sebastianiv21 wants to merge 2 commits into
Conversation
…E fixes Bumps spring-boot-starter-parent 3.5.12 -> 3.5.14 to remediate CVE-2026-40973 (insecure multipart temporary file), and overrides the BOM-managed Netty to 4.1.135.Final to remediate reachable Netty CVEs CVE-2026-33870 and CVE-2026-42583, plus newly disclosed netty-handler and netty-resolver-dns advisories (CVE-2026-44249, 45416, 50010, 45674, 47691) and the netty-codec/http2/dns set (CVE-2026-42584, 42587, 42579, 33871). Spring Boot 3.5.14 still manages the vulnerable Netty 4.1.132, so an explicit netty.version property override is required. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
WalkthroughThe PR updates the app server Maven parent version, adds a centralized Netty version property, and revises an ArangoDB plugin comment to describe Netty as provided by the appsmith-server runtime. ChangesServer dependency version updates
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
/build-deploy-preview skip-tests=true |
|
Deploying Your Preview: https://github.com/appsmithorg/appsmith/actions/runs/28264173509. |
|
Deploy-Preview-URL: https://ce-41928.dp.appsmith.com |
Summary
Remediates reachable High CVEs in the Spring server via two dependency bumps.
Why the Netty property override
Spring Boot 3.5.14's BOM manages Netty
4.1.132.Final, which is still vulnerable.<netty.version>4.1.135.Final</netty.version>is the canonical property thespring-boot-dependenciesBOM consumes, so it bumps allio.netty:*artifacts consistently. There is no competingnetty-bomimport or direct Netty pin in the server tree.Validation
mvn help:evaluateconfirms effective versions:netty.version=4.1.135.Final, parent3.5.14.appsmith-serverPOM resolves/parses (BUILD SUCCESS).CI Trigger
/ok-to-test tags="@tag.All"
Test plan
🤖 Generated with Claude Code
Summary by CodeRabbit
Tip
🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/28471068281
Commit: 9102e65
Cypress dashboard.
Tags:
@tag.AllSpec:
Wed, 01 Jul 2026 14:37:32 UTC