Conversation
…ties The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-16061843 - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-15989808 - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-15989820 - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-15990633 - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967769 - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967804 - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-15989812
|
This upgrade contains multiple major version jumps for critical Spring Boot starters, introducing significant breaking changes that require substantial migration effort. Top 3 Most Impactful Upgrades:
These two upgrades represent a multi-generational leap from Spring Boot 1.5 to Spring Boot 3.x (as 4.0 is not yet released). This is a major undertaking with several layers of breaking changes. It is strongly recommended to upgrade incrementally (e.g., 1.5 -> 2.0 -> 2.7 -> 3.2) rather than in one jump. Key Breaking Changes:
This is a minor version upgrade. While the official release notes were not found, the scope of changes between minor versions in this library is typically focused on bug fixes and small feature additions. No significant breaking changes are expected for this range. Recommendation: The Spring Boot upgrade is a major project and should not be merged without a dedicated migration and testing plan. Developers must address the Java version, Jakarta EE namespace changes, and updated configurations. Use the official migration guides and the properties migrator tool to assist with the process.
|
bwappsec
changed the title
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
2 participants
Snyk has created this PR to fix 7 vulnerabilities in the maven dependencies of this project.
Snyk changed the following file(s):
samples/server/petstore/java-pkmst/pom.xmlVulnerabilities that will be fixed with an upgrade:
SNYK-JAVA-ORGECLIPSEJETTY-16061843
Major version upgradeNo Path FoundProof of ConceptSNYK-JAVA-ORGAPACHETOMCATEMBED-15989808
Major version upgradeNo Path FoundNo Known ExploitSNYK-JAVA-ORGAPACHETOMCATEMBED-15989820
Major version upgradeNo Path FoundNo Known ExploitSNYK-JAVA-ORGAPACHETOMCATEMBED-15990633
Major version upgradeNo Path FoundNo Known ExploitSNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967769
3.10.0->3.17.1No Path FoundNo Known ExploitSNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967804
3.10.0->3.17.1No Path FoundNo Known ExploitSNYK-JAVA-ORGAPACHETOMCATEMBED-15989812
Major version upgradeNo Path FoundNo Known ExploitBreaking Change Risk
Vulnerabilities that could not be fixed
org.springframework.boot:spring-boot-starter-jetty@1.5.6.RELEASEtoorg.springframework.boot:spring-boot-starter-jetty@3.2.0; Reasoncould not apply upgrade, dependency is managed externally; Location:https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.6.RELEASE/spring-boot-dependencies-1.5.6.RELEASE.pomorg.springframework.boot:spring-boot-starter-web@1.5.6.RELEASEtoorg.springframework.boot:spring-boot-starter-web@4.0.0; Reasoncould not apply upgrade, dependency is managed externally; Location:https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.6.RELEASE/spring-boot-dependencies-1.5.6.RELEASE.pomImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Improper Encoding or Escaping of Output
🦉 Improper Authentication