[MODCITEM-23] Don't downgrade or pin Spring Boot provided versions Created: 18/Jan/24  Updated: 22/Jan/24  Resolved: 22/Jan/24

Status: Closed
Project: mod-circulation-item
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: TBD
Reporter: Julian Ladisch Assignee: Unassigned
Resolution: Done Votes: 0
Labels: back-end, security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Sprint:
Development Team: Volaris
Release: Quesnelia (R1 2024)
RCA Group: Related dependency upgrade

 Description   

Remove these version in pom.xml so that the version provided by spring-boot-starter-parent = https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-dependencies/3.1.5/spring-boot-dependencies-3.1.5.pom is used:

name pinned version Spring Boot provided version
postgresql.version 42.5.4 42.6.0
snakeyaml.version 1.33 1.33
hazelcast.version 5.2.1 5.2.4
maven-clean-plugin.version 3.1.0 3.2.0
maven-resources-plugin.version 3.3.0 3.3.1

Upgrading hazelcast from 5.2.1 to 5.2.4 fixes Incorrect Permission Assignment for Critical Resource and Insufficiently Protected Credentials vulnerabilites:

Lesson learnt: Don't pin versions provided by spring-boot-starter-parent.


Generated at Thu Feb 08 22:24:14 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.