Merge pull request #379 from yetanalytics/jetty-http2-common-fix

Pedestal CVE updates
yetanalytics · Feb 29, 2024 · 6716484 · 6716484
2 parents 2202077 + 52b727e
commit 6716484
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 10 deletions.
diff --git a/.nvd/suppression.xml b/.nvd/suppression.xml
@@ -1,13 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <!-- The FP affects the Golang, not Java, version of msgpack -->
-    <suppress>
-        <notes><![CDATA[
-        file name: msgpack-0.6.12.jar
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.msgpack/msgpack@.*$</packageUrl>
-        <cve>CVE-2022-41719</cve>
-    </suppress>
     <!-- This CVE affects a single version of Postgres Server itself, not the driver at all and cannot be patched in this project -->
     <suppress base="true">
         <notes><![CDATA[

diff --git a/deps.edn b/deps.edn
@@ -25,8 +25,10 @@
   com.zaxxer/HikariCP                      {:mvn/version "5.0.0"
                                             :exclusions  [org.slf4j/slf4j-api]}
   ;; Pedestal and Jetty webserver deps 
-  io.pedestal/pedestal.jetty               {:mvn/version "0.6.2"}
-  org.eclipse.jetty/jetty-alpn-java-server {:mvn/version "9.4.53.v20231009"}
+  io.pedestal/pedestal.jetty               {:mvn/version "0.6.3"
+                                            :exclusions  [org.eclipse.jetty.http2/http2-server]}
+  org.eclipse.jetty.http2/http2-server     {:mvn/version "9.4.54.v20240208"}
+  org.eclipse.jetty/jetty-alpn-java-server {:mvn/version "9.4.54.v20240208"}
   ;; Security deps
   buddy/buddy-core    {:mvn/version "1.11.418"
                        :exclusions [org.bouncycastle/bcprov-jdk18on]}