janusgraph icon indicating copy to clipboard operation
janusgraph copied to clipboard
verified publisher icon JanusGraph

Bump jetty-http from 9.4.44.v20210927 to 9.4.48.v20220622

Open dependabot[bot] opened this issue 3 years ago • 3 comments

Bumps jetty-http from 9.4.44.v20210927 to 9.4.48.v20220622.

Release notes

Sourced from jetty-http's releases.

9.4.48.v20220622

End of Life Notice

Critical Fix

  • #8184 - All suffix globs except first fail to match if path has . character in prefix section

9.4.47.v20220610

Fixed Security Advisories

Important

Changelog

  • #8145 - RegexPathSpec backport of optional group name/info lookup if regex fails
  • #8088 - Add option to configure exitVm on ShutdownMonitor from System properties
  • #8067 - Wall time usage in DoSFilter RateTracker results in false positive alert
  • #8014 - Review HttpRequest URI construction (Resolves CVE-2022-2047)
  • #7976 - Add TRANSFER_ENCODING violation for MultiPart RFC7578 parser.
  • #7947 - Improved PathSpec handling for servletName & pathInfo
  • #7935 - Review HTTP/2 error handling (Resolves CVE-2022-2048)
  • #7918 - PathMappings.asPathSpec does not allow root ServletPathSpec
  • #7863 - Default servlet drops first accept-encoding header if there is more than one.
  • #7858 - GZipHandler does not play nice with other handlers in HandlerCollection
  • #7837 - Fix StatisticsHandler in the case a Handler throws exception.
  • #7809 - Jetty 9.4.x 7801 duplicate set session cookies
  • #7748 - Allow overriding of url-pattern mapping in ServletContextHandler to allow for regex or uri-template matching

Dependencies

  • #8076 - Bump asciidoctorj-diagram to 2.2.3
  • #7840 - Bump asm.version to 9.3
  • #8143 - Bump biz.aQute.bndlib to 6.3.1
  • #8055 - Bump error_prone_annotations to 2.14.0
  • #8110 - Bump google-cloud-datastore to 2.7.0
  • #8098 - Bump grpc-core to 1.47.0
  • #7988 - Bump hawtio-default to 2.15.0
  • #7999 - Bump jackson-annotations to 2.13.3
  • #8000 - Bump jackson-core to 2.13.3
  • #8002 - Bump jackson-databind to 2.13.3
  • #7846 - Bump jacoco-maven-plugin to 0.8.8
  • #7816 - Bump jnr-ffi to 2.2.12
  • #7968 - Bump kerb-simplekdc to 2.0.2

... (truncated)

Commits
  • 6b67c57 Updating to version 9.4.48.v20220622
  • f977f36 exclude some infinispan dependencies to avoid problem with m-enforcer-p (#8177)
  • fa40ad7 Issue #8184 - Correcting match logic for multiple servlet suffix url-pattern ...
  • 3886ac5 Merge Release 9.4.47 back into jetty-9.4.x (#8179)
  • abd634e update readme as IT tests are running per default now (#8139)
  • 4ca8afb Fixes #8014 - Review HttpRequest URI construction. (#8146)
  • 18653c4 Skip optional group name/info lookup if regex fails. (#8145)
  • aba8aa6 Bump biz.aQute.bndlib from 6.3.0 to 6.3.1 (#8143)
  • ff2cb45 Jetty 9.4.x 7801 duplicate set session cookies (#7809)
  • 5b4d1dd Improved PathSpec handling for servletName & pathInfo (#7947)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.

dependabot[bot] avatar Aug 20 '22 06:08 dependabot[bot]

I had to manually change the base branch to v0.6 since Dependabot created this for master as it includes a security fix.

@dependabot rebase

FlorianHockmann avatar Aug 24 '22 13:08 FlorianHockmann

Looks like it's not possible to let Dependabot properly rebase the PR onto v0.6 so:

@dependabot recreate

FlorianHockmann avatar Aug 24 '22 13:08 FlorianHockmann

@FlorianHockmann their is no jetty.version in v0.6

farodin91 avatar Sep 19 '22 21:09 farodin91

@FlorianHockmann Should backport this PR?

farodin91 avatar Sep 23 '22 21:09 farodin91

Should backport this PR?

Yes, that would be good since this is not a major update but it includes a security fix.

FlorianHockmann avatar Sep 26 '22 07:09 FlorianHockmann

@dependabot rebase

farodin91 avatar Nov 04 '22 14:11 farodin91

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

dependabot[bot] avatar Nov 07 '22 17:11 dependabot[bot]

@dependabot rebase

farodin91 avatar Nov 09 '22 09:11 farodin91

💔 All backports failed

Status Branch Result
v0.6 Backport failed because of merge conflicts

You might need to backport the following PRs to v0.6:
- Bump jackson2.version from 2.13.4 to 2.14.0
- Bump cassandra-driver.version from 4.14.1 to 4.15.0
- Bump ant from 1.9.11 to 1.10.12

Manual backport

To create the backport manually run:

backport --pr 3178

Questions ?

Please refer to the Backport tool documentation and see the Github Action logs for details

github-actions[bot] avatar Nov 10 '22 06:11 github-actions[bot]

@FlorianHockmann I won't backport this PR to much effort.

farodin91 avatar Nov 10 '22 08:11 farodin91