Skip to content

Updated pom.xml by Safer #38

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Updated pom.xml by Safer #38

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi-ooxml</artifactId>
<version>[3.17,)</version>
<version>5.4.1</version>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
Expand All @@ -36,7 +36,7 @@
<dependency>
<groupId>org.apache.activemq</groupId>
<artifactId>activemq-client</artifactId>
<version>[5.15.9,)</version>
<version>6.1.6</version>
</dependency>
Comment on lines 37 to 40
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

ActiveMQ 5.x → 6.1.6 is a breaking change

activemq-client:6.x moved to Jakarta JMS 3.0 namespaces (jakarta.jms.*).
If your code still imports javax.jms.*, it will not compile. Consider either:

-<version>6.1.6</version>
+<version>[5.17.6]</version> <!-- latest 5.x security line -->

until the source is migrated.

🤖 Prompt for AI Agents 
In pom.xml around lines 37 to 40, the activemq-client dependency version 6.1.6
uses Jakarta JMS 3.0 namespaces (jakarta.jms.*), which breaks compatibility with
code importing javax.jms.*. To fix this, either downgrade the activemq-client
version to a 5.x release compatible with javax.jms.*, or update your source code
imports and usage to the new jakarta.jms.* namespaces to match version 6.x.

<dependency>
<groupId>javax.mail</groupId>
Expand All @@ -46,7 +46,7 @@
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.34</version>
<version>1.2.83_noneautotype</version>
</dependency>
<dependency>
<groupId>org.apache.geronimo.specs</groupId>
Expand All @@ -57,12 +57,12 @@
<dependency>
<groupId>com.squareup.retrofit</groupId>
<artifactId>converter-simplexml</artifactId>
<version>1.6.1</version>
<version>2.0.0-beta2</version>
</dependency>
Comment on lines 58 to 61
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Still using a beta Retrofit converter

converter-simplexml:2.0.0-beta2 is eight years old, lacks security fixes, and was never promoted to stable. Retrofit 2.11.0 ships converter-simplexml:2.11.0. Recommend upgrading:

-<version>2.0.0-beta2</version>
+<version>2.11.0</version>
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
<groupId>com.squareup.retrofit</groupId>
<artifactId>converter-simplexml</artifactId>
<version>1.6.1</version>
<version>2.0.0-beta2</version>
</dependency>
<groupId>com.squareup.retrofit</groupId>
<artifactId>converter-simplexml</artifactId>
- <version>2.0.0-beta2</version>
+ <version>2.11.0</version>
</dependency>
🤖 Prompt for AI Agents 
In pom.xml around lines 58 to 61, the Retrofit converter-simplexml dependency is
using an outdated beta version 2.0.0-beta2. Update the version to 2.11.0 to use
the stable release that comes with Retrofit 2.11.0, ensuring you get the latest
security fixes and improvements.

<dependency>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
<version>3.16.1</version>
<version>3.25.5</version>
</dependency>
<dependency>
<groupId>redis.clients</groupId>
Expand All @@ -79,12 +79,12 @@
<dependency>
<groupId>org.redisson</groupId>
<artifactId>redisson</artifactId>
<version>3.5.3</version>
<version>3.6.1</version>
</dependency>
Comment on lines 80 to 83
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Redisson 3.6.1 is old and vulnerable

Latest stable is 3.29.x with multiple CVE fixes (ACL auth, DNS failover). Using 3.6.1 undermines the PR’s security goal.

-<version>3.6.1</version>
+<version>3.29.0</version>
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
<groupId>org.redisson</groupId>
<artifactId>redisson</artifactId>
<version>3.5.3</version>
<version>3.6.1</version>
</dependency>
<groupId>org.redisson</groupId>
<artifactId>redisson</artifactId>
- <version>3.6.1</version>
+ <version>3.29.0</version>
</dependency>
🤖 Prompt for AI Agents 
In pom.xml around lines 80 to 83, the Redisson dependency version 3.6.1 is
outdated and has known vulnerabilities. Update the version to the latest stable
release, 3.29.x, to ensure security improvements and fixes are included. Modify
the <version> tag accordingly to reflect this newer version.

<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<version>1.9.4</version>
<version>1.11.0</version>
</dependency>
Comment on lines 85 to 88
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

commons-beanutils:1.11.0 does not exist on Maven Central

Current lineage ends at 1.9.4 (patched for CVE-2019-10086). Build will fail to resolve. Use:

-<version>1.11.0</version>
+<version>1.9.4</version>
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<version>1.9.4</version>
<version>1.11.0</version>
</dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<version>1.9.4</version>
</dependency>
🤖 Prompt for AI Agents 
In pom.xml around lines 85 to 88, the dependency version
commons-beanutils:1.11.0 does not exist on Maven Central and will cause build
failures. Change the version to 1.9.4, which is the latest available patched
version, to ensure the dependency resolves correctly during build.

<dependency>
<groupId>com.googlecode.concurrentlinkedhashmap</groupId>
Expand All @@ -99,7 +99,7 @@
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.2.4</version>
<version>1.2.22</version>
</dependency>
<dependency>
<groupId>io.protostuff</groupId>
Expand Down Expand Up @@ -135,12 +135,12 @@
<dependency>
<groupId>com.esotericsoftware.yamlbeans</groupId>
<artifactId>yamlbeans</artifactId>
<version>1.15</version>
<version>1.17</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.22</version>
<version>8.0.31</version>
</dependency>
<dependency>
<groupId>org.jetbrains</groupId>
Expand Down