Bump Jetty deps from 11.x.x to 12.x.x

[metametadata]

Would be great to bump Jetty so that no vulns are reported. Specifically, I currently get this report for [ring/ring-jetty-adapter "1.13.0"]:

NAME        INSTALLED  FIXED-IN  TYPE          VULNERABILITY        SEVERITY
jetty-http  11.0.24    12.0.12   java-archive  GHSA-qh8g-58pp-2wxh  Low

I could not quickly override the Ring's Jetty deps in my projects as the structure of Jetty repos changed in 12.0.0. See org.eclipse.jetty.ee{8,9,10} new coordinates in https://jetty.org/docs/jetty/12/programming-guide/migration/11-to-12.html.

[sunng87]

It seems jetty 11 has reached its end of life. You can switch to rj9a for now for latest jetty https://github.com/sunng87/ring-jetty9-adapter .

[weavejester]

Jetty tends to change around its API every version, so unfortunately we can't just update the artifacts and expect Jetty to still work. It'll likely require a fair bit of effort, as I'm sure @sunng87 can attest.

[sunng87]

That's true. Especially for Jetty 12 they refactored a lot to drop dependency for JavaEE APIs.

[jumarko]

I got here because of a docker image scan failure reported to me, specifically for jetty-http: https://scout.docker.com/vulnerabilities/id/CVE-2024-6763?s=github&n=jetty-http&ns=org.eclipse.jetty&t=maven&vr=%3E%3D7.0.0%2C%3C%3D12.0.11

Is there a plan to switch to jetty 12.x anytime soon?

[weavejester]

It'll be updated as soon as I, or anyone else, gets the time to do so. That probably means sometime in December.

As far as I'm aware, the reported vulnerabilities in Jetty 11 do not affect Ring.

[weavejester]

Fixed by eda1676. It turns out that the class files we needed are all still there, just with different packages paths and found in different artifacts, so a much easier transition than going from Jetty 9 to 10.

[lnostdal]

By they way, :thread-pool (org.eclipse.jetty.util.thread.VirtualThreadPool.) works great with this -- testing for a few hours now. ⚡😄