SWI-3723 [Snyk] Fix for 5 vulnerabilities

[bwappsec]

Snyk has created this PR to fix 5 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• samples/server/petstore/java-undertow/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	HTTP Request Smuggling SNYK-JAVA-IOUNDERTOW-15967938	177	com.networknt:audit: 0.1.1 -> 1.5.26 com.networknt:info: 0.1.1 -> 1.5.26 com.networknt:security: 0.1.1 -> 1.5.26 com.networknt:server: 0.1.1 -> 1.5.26 Major version upgrade No Path Found No Known Exploit
	HTTP Request Smuggling SNYK-JAVA-IOUNDERTOW-15968277	177	com.networknt:audit: 0.1.1 -> 1.5.26 com.networknt:info: 0.1.1 -> 1.5.26 com.networknt:security: 0.1.1 -> 1.5.26 com.networknt:server: 0.1.1 -> 1.5.26 Major version upgrade No Path Found No Known Exploit
	HTTP Request Smuggling SNYK-JAVA-IOUNDERTOW-16009217	177	com.networknt:audit: 0.1.1 -> 1.5.26 com.networknt:info: 0.1.1 -> 1.5.26 com.networknt:security: 0.1.1 -> 1.5.26 com.networknt:server: 0.1.1 -> 1.5.26 Major version upgrade No Path Found No Known Exploit
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551	125	com.fasterxml.jackson.core:jackson-core: 2.15.2 -> 2.21.2 com.fasterxml.jackson.core:jackson-databind: 2.15.2 -> 2.21.2 com.networknt:security: 0.1.1 -> 1.5.26 No Path Found No Known Exploit
	Memory Leak SNYK-JAVA-IOUNDERTOW-7433721	38	com.networknt:audit: 0.1.1 -> 1.5.26 com.networknt:info: 0.1.1 -> 1.5.26 com.networknt:security: 0.1.1 -> 1.5.26 com.networknt:server: 0.1.1 -> 1.5.26 io.undertow:undertow-core: 2.3.17.Final -> 2.3.18.Final Major version upgrade No Path Found No Known Exploit

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling
🦉 Memory Leak

[bwappsec]

This upgrade includes a major version jump for com.networknt modules from a pre-release 0.1.1 to 1.5.26, which presents a high risk of breaking changes. The jackson and undertow upgrades are lower risk.

Analysis of Upgrades

com.networknt packages (HIGH RISK)

• com.networknt:audit: 0.1.1 → 1.5.26
• com.networknt:info: 0.1.1 → 1.5.26
• com.networknt:security: 0.1.1 → 1.5.26
• com.networknt:server: 0.1.1 → 1.5.26

This is a significant upgrade from a pre-1.0 version to a stable 1.5.x version for the light-4j framework. Upgrades from a 0.x version to 1.x often contain fundamental API changes. While release notes for recent versions exist, a direct migration guide from 0.1.1 is not available. Given the large version gap, it is highly likely that there are significant breaking changes in configuration, APIs, and core functionality.

Recommendation: A thorough migration and testing process is required. Developers should consult the light-4j documentation and treat this as a major migration effort.

com.fasterxml.jackson.core packages (MEDIUM RISK)

• jackson-core: 2.15.2 → 2.21.2
• jackson-databind: 2.15.2 → 2.21.2

This upgrade contains minor version updates with some behavioral changes that require verification:

• v2.16: The default for StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION has been changed to false to reduce information leakage in exceptions.
• v2.17: Deserialization of numbers from strings is stricter; for example, strings with leading zeros like "07" are no longer coerced to numbers for enum indexes.
• v2.18: Support for Kotlin 1.7.x has been dropped.

Recommendation: Verify that application logic does not depend on the previous default behaviors, especially concerning error handling and enum deserialization from strings.

io.undertow:undertow-core (LOW RISK)

• undertow-core: 2.3.17.Final → 2.3.18.Final

This is a patch release that consists of bug fixes and security updates. No breaking API changes are documented.

Source: Release notes

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[bwappsec]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.