[MOSIP-44772] vulnerabilities update#213
Conversation
Signed-off-by: Md-Humair-KK <mdhumair.kankudti@gmail.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
💤 Files with no reviewable changes (1)
WalkthroughThis PR updates Maven dependency management and version pins across three plugin modules, including Bouncy Castle overrides, Spring Security BOM import, service version bumps, and a Velocity artifact replacement. ChangesDependency Version Updates
Estimated code review effort: 2 (Simple) | ~10 minutes Suggested reviewers: Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@mosip-identity-plugin/pom.xml`:
- Around line 71-79: The Spring Boot 3.2.x BOM used by the module is
end-of-life, so this dependency pin only masks the underlying support issue.
Keep the `spring-security-bom` override if needed for the immediate CVE fix, but
add a follow-up plan to upgrade the project’s Spring Boot version (the
`spring.boot.version` property and related BOM usage in `pom.xml`) to a
currently supported release line.
- Around line 69-88: The dependencyManagement block in the pom is only pinning
bcpkix-jdk18on, which can still allow Maven to resolve mismatched Bouncy Castle
versions through transitive ranges. Update the same dependencyManagement section
to also manage bcprov-jdk18on and bcutil-jdk18on, alongside bcpkix-jdk18on, all
at version 1.80 so the Bouncy Castle set stays aligned. Use the existing
dependencyManagement entries as the place to add the sibling artifacts.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: ec1936b4-e3bb-4d54-8dc1-4b1cb7feb4c4
📒 Files selected for processing (3)
mock-plugin/pom.xmlmosip-identity-plugin/pom.xmlsunbird-rc-plugin/pom.xml
Signed-off-by: Md-Humair-KK <mdhumair.kankudti@gmail.com>
Signed-off-by: Md-Humair-KK <mdhumair.kankudti@gmail.com>
Summary by CodeRabbit
1.3.0release across affected plugins.velocity-engine-core:2.3.biometrics-utildependency to1.3.0.