Skip to content

CHK-13036: Fix dependabot alert 30 (io.netty:netty-codec-http)#324

Closed
pboos wants to merge 1 commit into
mainfrom
CHK-13036-dependabot-alert
Closed

CHK-13036: Fix dependabot alert 30 (io.netty:netty-codec-http)#324
pboos wants to merge 1 commit into
mainfrom
CHK-13036-dependabot-alert

Conversation

@pboos

@pboos pboos commented Feb 10, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Fixes Dependabot alert #30CVE-2025-67735: CRLF injection in io.netty.handler.codec.http.HttpRequestEncoder
  • Upgrades transitive io.netty:netty-codec-http from 4.2.7.Final to 4.2.8.Final via a Gradle dependency constraint
  • The vulnerable package is a transitive dependency from Spring Boot 4.0.0 → reactor-netty-httpnetty-codec-http, so a constraint override is used rather than a direct dependency update

Changes

  • gradle/libs.versions.toml — Added netty = "4.2.8.Final" version entry
  • build.gradle — Added dependency constraint in subprojects to force io.netty:netty-codec-http to the patched version

Override transitive io.netty:netty-codec-http version to 4.2.8.Final
via dependency constraint to fix CVE-2025-67735 (CRLF injection in
HttpRequestEncoder).
@gyg-pr-tool gyg-pr-tool Bot changed the title [CHK-13036] Fix dependabot alert 30 (io.netty:netty-codec-http) CHK-13036: Fix dependabot alert 30 (io.netty:netty-codec-http) Feb 10, 2026
@pboos pboos marked this pull request as ready for review February 10, 2026 09:56
@pboos pboos requested a review from a team as a code owner February 10, 2026 09:56
@pboos pboos requested a review from ronaldgyg February 10, 2026 09:56
@pboos

pboos commented Feb 10, 2026

Copy link
Copy Markdown
Contributor Author

not needed as spring boot update fixed the dependabot issue

@pboos pboos closed this Feb 10, 2026
@gygrobot gygrobot deleted the CHK-13036-dependabot-alert branch June 1, 2026 10:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant